php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #69418 CVE-2006-7243 fix regressions in 5.4+
Submitted: 2015-04-10 12:46 UTC Modified: 2015-05-19 05:34 UTC
From: thoger at redhat dot com Assigned: laruence
Status: Closed Package: *Directory/Filesystem functions
PHP Version: 5.5.23 OS:
Private report: No CVE-ID: 2015-4025
 [2015-04-10 12:46 UTC] thoger at redhat dot com
Description:
------------
After seeing CVE-2015-2348 and CVE-2014-5120, which are both 5.4+ regressions of parts of the CVE-2006-7243 fix, I ran some quick testing to catch more similar regressions (only for ext/standard).  Here are few more issues I noticed.  Tested on 5.5.23, quick look at git 5.6 branch suggests 5.6 should be affected similarly.

* set_include_path - not sure if this can use 5.4-like fix using zend_parse_parameters() 'p' format, or needs 5.3-like fix with strlen(new_value) != new_value_len

$ php -r 'var_dump(set_include_path("/path/to/php\0extra")); echo get_include_path()."\n";'
string(32) ".:/usr/share/pear:/usr/share/php"
/path/to/php

* tempnam - dir is checked to be path and not contain \0, prefix is not

$ php -r 'var_dump(tempnam("/tmp\0extra", "prefix"));'
PHP Warning:  tempnam() expects parameter 1 to be a valid path, string given in Command line code on line 1
NULL

$ php -r 'var_dump(tempnam("/tmp/", "prefix\0extra"));'
string(17) "/tmp/prefixh3EaGL"

* rmdir

$ php -r 'var_dump(rmdir("/tmp/foo\0extra"));'
PHP Warning:  rmdir(/tmp/foo): No such file or directory in Command line code on line 1
bool(false)

* readlink

$ php -r 'var_dump(readlink("/bin/sh\0extra"));'
string(4) "bash"

For reference, here are links for CVE-2006-7243 fixes in 5.3 and 5.4:

5.3 http://git.php.net/?p=php-src.git;a=commitdiff;h=ce96fd6
5.4 http://git.php.net/?p=php-src.git;a=commitdiff;h=32b5f8a


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-04-10 22:22 UTC] yohgaki@php.net
-Status: Open +Status: Verified
 [2015-04-10 22:22 UTC] yohgaki@php.net
[yohgaki@dev php-src]$ php -r 'ini_set("open_basedir","/tmp/foo\0bar"); var_dump(ini_get("open_basedir"));'
string(8) "/tmp/foo"

Looks like we need to check path related codes to be complete.
 [2015-04-16 21:30 UTC] yohgaki@php.net
-Type: Bug +Type: Security -Private report: No +Private report: Yes
 [2015-05-12 19:40 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=be9b2a95adb504abd5acdc092d770444ad6f6854
Log: Fixed bug #69418 - more s->p fixes for filenames
 [2015-05-12 19:40 UTC] stas@php.net
-Status: Verified +Status: Closed
 [2015-05-12 22:58 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=be9b2a95adb504abd5acdc092d770444ad6f6854
Log: Fixed bug #69418 - more s->p fixes for filenames
 [2015-05-13 10:53 UTC] jpauli@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=bbe4b87e1d1fa858c208368a28c0fb17c7774fe0
Log: Fixed bug #69418 - more s->p fixes for filenames
 [2015-05-19 05:34 UTC] laruence@php.net
-Assigned To: +Assigned To: laruence -CVE-ID: +CVE-ID: 2015-4025
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Jun 27 08:01:51 2017 UTC