php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #67717 segfault in dns_get_record
Submitted: 2014-07-30 12:42 UTC Modified: 2014-08-21 07:41 UTC
From: remi@php.net Assigned: remi
Status: Closed Package: *Network Functions
PHP Version: 5.4.31 OS: irrevelant
Private report: No CVE-ID: 2014-3597
 [2014-07-30 12:42 UTC] remi@php.net
Description:
------------
Testing patch for CVE-2014-4049 we discover some other possible buffer overflow.

- code rely on dlen (from server response) without overflow check
- code call dn_expand without sending real "end" of answer




Patches

dbs-parser.patch (last revision 2014-07-30 13:50 UTC) by remi@php.net)
repro.patch (last revision 2014-07-30 13:18 UTC) by remi@php.net)
dns-parser.patch (last revision 2014-07-30 12:44 UTC) by remi@php.net)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-07-30 12:44 UTC] remi@php.net
The following patch has been added/updated:

Patch Name: dns-parser.patch
Revision:   1406724256
URL:        https://bugs.php.net/patch-display.php?bug=67717&patch=dns-parser.patch&revision=1406724256
 [2014-07-30 12:46 UTC] remi@php.net
Initial patch proposal

- and answer end to php-parserr function

- and simple MACRO to check buffer overflow

- check buffer overflow for dlen

- use real "end" (instead of answer->qb2+65536) in dn_expand calls


Probably more CHECKCP() are needed.
 [2014-07-30 13:18 UTC] remi@php.net
The following patch has been added/updated:

Patch Name: repro.patch
Revision:   1406726280
URL:        https://bugs.php.net/patch-display.php?bug=67717&patch=repro.patch&revision=1406726280
 [2014-07-30 13:19 UTC] remi@php.net
The simple reproducer (gracefully provided by David Kutalek from Red Hat) allow to run a "fake" local DNS server, which provide specially crafted answers to client.php.
 [2014-07-30 13:50 UTC] remi@php.net
The following patch has been added/updated:

Patch Name: dbs-parser.patch
Revision:   1406728243
URL:        https://bugs.php.net/patch-display.php?bug=67717&patch=dbs-parser.patch&revision=1406728243
 [2014-07-31 01:00 UTC] stas@php.net
We'll need a CVE for this most probably. And keep it under wraps till 5.4.32 etc. release as it seems to be remotely triggerable by rogue DNS server.
 [2014-08-14 07:48 UTC] remi@php.net
-CVE-ID: +CVE-ID: 2014-3597
 [2014-08-14 07:48 UTC] remi@php.net
Assigned: CVE-2014-3597 php: incomplete fix for CVE-2014-4049 DNS TXT record parsing (missing check for dlen)
 [2014-08-19 07:17 UTC] remi@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: remi
 [2014-08-19 07:17 UTC] remi@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

http://git.php.net/?p=php-src.git;a=commitdiff;h=2fefae47716d501aec41c1102f3fd4531f070b05
 [2014-10-07 23:13 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=529da0f74c1a230d0656799efc73a387392dbc10
Log: Fixed bug #67717 - segfault in dns_get_record
 [2014-10-07 23:24 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=529da0f74c1a230d0656799efc73a387392dbc10
Log: Fixed bug #67717 - segfault in dns_get_record
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Wed Feb 22 22:01:36 2017 UTC