PHP :: Sec Bug #67717 :: segfault in dns_get

Sec Bug #67717	segfault in dns_get_record
Submitted:	2014-07-30 12:42 UTC	Modified:	2014-08-21 07:41 UTC
From:	remi@php.net	Assigned:	remi (profile)
Status:	Closed	Package:	*Network Functions
PHP Version:	5.4.31	OS:	irrevelant
Private report:	No	CVE-ID:	2014-3597

View Add Comment Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	remi@php.net
New email:
PHP Version:		OS:

New Comment:

[2014-07-30 12:42 UTC] remi@php.net

Description:
------------
Testing patch for CVE-2014-4049 we discover some other possible buffer overflow.

- code rely on dlen (from server response) without overflow check
- code call dn_expand without sending real "end" of answer

Patches

dbs-parser.patch (last revision 2014-07-30 13:50 UTC by remi@php.net)
repro.patch (last revision 2014-07-30 13:18 UTC by remi@php.net)
dns-parser.patch (last revision 2014-07-30 12:44 UTC by remi@php.net)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2014-07-30 12:44 UTC] remi@php.net

The following patch has been added/updated:

Patch Name: dns-parser.patch
Revision:   1406724256
URL:        https://bugs.php.net/patch-display.php?bug=67717&patch=dns-parser.patch&revision=1406724256

[2014-07-30 12:46 UTC] remi@php.net

Initial patch proposal

- and answer end to php-parserr function

- and simple MACRO to check buffer overflow

- check buffer overflow for dlen

- use real "end" (instead of answer->qb2+65536) in dn_expand calls


Probably more CHECKCP() are needed.

[2014-07-30 13:18 UTC] remi@php.net

The following patch has been added/updated:

Patch Name: repro.patch
Revision:   1406726280
URL:        https://bugs.php.net/patch-display.php?bug=67717&patch=repro.patch&revision=1406726280

[2014-07-30 13:19 UTC] remi@php.net

The simple reproducer (gracefully provided by David Kutalek from Red Hat) allow to run a "fake" local DNS server, which provide specially crafted answers to client.php.

[2014-07-30 13:50 UTC] remi@php.net

The following patch has been added/updated:

Patch Name: dbs-parser.patch
Revision:   1406728243
URL:        https://bugs.php.net/patch-display.php?bug=67717&patch=dbs-parser.patch&revision=1406728243

[2014-07-31 01:00 UTC] stas@php.net

We'll need a CVE for this most probably. And keep it under wraps till 5.4.32 etc. release as it seems to be remotely triggerable by rogue DNS server.

[2014-08-14 07:48 UTC] remi@php.net

-CVE-ID: +CVE-ID: 2014-3597

[2014-08-14 07:48 UTC] remi@php.net

Assigned: CVE-2014-3597 php: incomplete fix for CVE-2014-4049 DNS TXT record parsing (missing check for dlen)

[2014-08-19 07:17 UTC] remi@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: remi

[2014-08-19 07:17 UTC] remi@php.net

The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

http://git.php.net/?p=php-src.git;a=commitdiff;h=2fefae47716d501aec41c1102f3fd4531f070b05

[2014-10-07 23:13 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=529da0f74c1a230d0656799efc73a387392dbc10
Log: Fixed bug #67717 - segfault in dns_get_record

[2014-10-07 23:24 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=529da0f74c1a230d0656799efc73a387392dbc10
Log: Fixed bug #67717 - segfault in dns_get_record

[2021-10-03 17:58 UTC] aazl at gmail dot com

https://google.co.jp/url?q=https://a.tvfun.me/habibati-man-takoun/

[2021-10-03 17:59 UTC] olkkhfy at gmail dot ccom

https://google.com.au/url?q=https://a.tvfun.me/habibati-man-takoun/

[2021-10-03 18:08 UTC] php5443 at gmail dot com

https://images.google.co.jp/url?q=https%3A%2F%2Fa.tvfun.me%2Fhabibati-man-takoun%2F

[2021-10-03 23:12 UTC] php5443 at gmail dot com

https://images.google.lv/url?q=https%3A%2F%2Fa.tvfun.me%2Fal-kadiboun-wa-chomou3ohom%2F
https://images.google.ee/url?q=https%3A%2F%2Fa.tvfun.me%2Fal-kadiboun-wa-chomou3ohom%2F
https://images.google.ca/url?q=https%3A%2F%2Fa.tvfun.me%2Fal-kadiboun-wa-chomou3ohom%2F
https://images.google.co.cr/url?q=https%3A%2F%2Fa.tvfun.me%2Fal-kadiboun-wa-chomou3ohom%2F
https://images.google.is/url?q=https%3A%2F%2Fa.tvfun.me%2Fal-kadiboun-wa-chomou3ohom%2F

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Apr 19 23:01:28 2024 UTC