Ubuntu
php5 package

php5 crashed with SIGSEGV in memcpy()

Bug #351730 reported by Kees Cook
4
Affects Status Importance Assigned to Milestone
php
Unknown
Unknown
php5 (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Binary package hint: php5

<?
$cert="-----BEGIN CERTIFICATE-----
MIIEKzCCAxOgAwIBAgICAtUwDQYJKoZIhvcNAQEFBQAwgewxFjAUBgNVBC0DDQBT
UFI5NjEyMTdOSzkxETAPBgNVBAcTCENveW9hY+FuMQswCQYDVQQIEwJERjELMAkG
A1UEBhMCTVgxDjAMBgNVBBETBTA0MDAwMR8wHQYDVQQJExZQYW56YWNvbGEgIzYy
IDFlciBwaXNvMSgwJgYDVQQDEx9BdXRvcmlkYWQgY2VydGlmaWNhZG9yYSBJbnRl
cm5hMRMwEQYDVQQLEwpUZWNub2xvZ+1hMRMwEQYDVQQKEwpTZWd1cmlEYXRhMSAw
HgYJKoZIhvcNAQkBFhFhY0BzZWd1cmlkYXRhLmNvbTAeFw0wNzAyMTIwMDAwMDBa
Fw0xMjAyMjkwMDAwMDBaMIIBDDEWMBQGA1UELQMNAFNQUjk2MTIxN05LOTEXMBUG
A1UEBxMOQWx2YXJvIE9icmVnb24xDTALBgNVBAgTBEQuRi4xCzAJBgNVBAYTAk1Y
MQ4wDAYDVQQREwUwMTAwMDEoMCYGA1UECRMfSW5zdXJnZW50ZXMgU3VyIDIzNzUs
IDNlci4gUGlzbzEbMBkGA1UEAxMSd3d3LnNlZ3VyaWRhdGEuY29tMREwDwYDVQQL
EwhJbnRlcm5ldDEpMCcGA1UEChMgU2VndXJpRGF0YSBQcml2YWRhLCBTLkEuIGRl
IEMuVi4xKDAmBgkqhkiG9w0BCQEWGXBvc3RtYXN0ZXJAc2VndXJpZGF0YS5jb20w
gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANG/rb52Ou//dnkHysR5m7T4r8QM
KOM/CP0OEXTOC+a+47RsZjqNiZsBkSeR92OFPpkw5bJ85IAD/Tgx7Tli3ryJfrdk
WMfkXpzWW0YmeTrghL0DMNd8nYc9voVv+OGnIZ0W4Mhz31eiThmyy7Fs8ZlFyfkR
REj5OQvq+z+NP/n/AgMBAAGjODA2MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1Ud
DwQFAwMH6AAwEQYJYIZIAYb4QgEBBAQDAgBAMA0GCSqGSIb3DQEBBQUAA4IBAQCq
nBqQEb7H6Gxi4KXBn1lrPd5KWO40iSD7BREU8e0eI1ZLZvi4IEAlmyG81Le037jo
irMUDS2Ue5WI61QnGw4LhnYlCIuffU7fTs+UbrOE4qNU67G+XBfjk0gHkXHmEYbb
EOR9OHeDcYFgcl3j4SLg/ff6oRYbMkQRCrgQzrl/MNkuqDWJrcigS9OD6OTgRyEo
7Zvf7/ofWIzTIvINbfjQzSTr8AbI4SbuU9iKgVGDQQF6cfpBmOYgnr3QPuoTQCoU
pz9H9wBlz/Nmw12YtfCmGqpIFAxpRGFQTGPNJWr4FdZkUM792lm7Sf3zzSvi8Ruz
M3dwifRsZyZyruy4tMsu
-----END CERTIFICATE-----
";
$arr = openssl_x509_parse($cert);
?>

http://bugs.php.net/bug.php?id=47828

ProblemType: Crash
Architecture: amd64
DistroRelease: Ubuntu 9.04
ExecutablePath: /usr/bin/php5
Package: php5-cli 5.2.6.dfsg.1-3ubuntu2
ProcCmdline: php
ProcEnviron:
 SHELL=/bin/bash
 PATH=(custom, user)
 LANG=en_US.UTF-8
Signal: 11
SourcePackage: php5
StacktraceTop:
 memcpy () from /lib/libc.so.6
 _estrndup ()
 add_next_index_stringl ()
 ?? ()
 zif_openssl_x509_parse ()
Title: php5 crashed with SIGSEGV in memcpy()
Uname: Linux 2.6.28-11-generic x86_64
UserGroups: adm admin audio cdrom dialout dip floppy fuse libvirtd lpadmin mythtv plugdev sambashare scanner video

Related branches

lp:ubuntu/karmic/php5
Revision history for this message
Kees Cook (kees) wrote :
visibility: private → public
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Upstream patch:

HEAD: http://cvs.php.net/viewvc.cgi/php-src/ext/openssl/openssl.c?r1=1.179&r2=1.180
5.3: http://cvs.php.net/viewvc.cgi/php-src/ext/openssl/openssl.c?r1=1.98.2.5.2.41.2.27&r2=1.98.2.5.2.41.2.28
5.2: http://cvs.php.net/viewvc.cgi/php-src/ext/openssl/openssl.c?r1=1.98.2.5.2.51&r2=1.98.2.5.2.52

Revision history for this message
Kees Cook (kees) wrote :

#0 0x00007f92c332d2a3 in memcpy () from /lib/libc.so.6
#1 0x00000000006551b8 in _estrndup (s=0x7fffce3e2f30 "0Y�\001",
    length=4294967295) at /usr/include/bits/string3.h:52
#2 0x0000000000674fbb in add_next_index_stringl (arg=0x1c25a60,
    str=0x7fffce3e2f30 "0Y�\001", length=4294967295, duplicate=1)
    at /build/buildd/php5-5.2.6.dfsg.1/Zend/zend_API.c:1213
#3 0x0000000000466fdd in add_assoc_name_entry (val=0x6f1f9f,
    key=0x101b63c40 <Address 0x101b63c40 out of bounds>, name=0x1b10e20,
    shortname=32767)
    at /build/buildd/php5-5.2.6.dfsg.1/ext/openssl/openssl.c:307
#4 0x000000000046720d in zif_openssl_x509_parse (ht=29541608,
    return_value=0x6e69207372656b61, return_value_ptr=0xffffbfff,
    this_ptr=0x3fbc, return_value_used=1048576)
    at /build/buildd/php5-5.2.6.dfsg.1/ext/openssl/openssl.c:1024
#5 0x00000000006a8b6d in zend_do_fcall_common_helper_SPEC (
    execute_data=0x7fffce3e32a0)
    at /build/buildd/php5-5.2.6.dfsg.1/Zend/zend_vm_execute.h:200
#6 0x00000000006940a4 in execute (op_array=0x1c24a10)
    at /build/buildd/php5-5.2.6.dfsg.1/Zend/zend_vm_execute.h:92
#7 0x000000000066fd68 in zend_execute_scripts (type=32767, retval=0x0,
    file_count=-834784296) at /build/buildd/php5-5.2.6.dfsg.1/Zend/zend.c:1215
#8 0x0000000000629ef2 in php_execute_script (primary_file=Cannot access memory at address 0x8000ce3e2330
)
    at /build/buildd/php5-5.2.6.dfsg.1/main/main.c:2028
#9 0x00000000006f020b in main (argc=-834774360, argv=0x7f92c32b9210)
    at /build/buildd/php5-5.2.6.dfsg.1/sapi/cli/php_cli.c:1148

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package php5 - 5.2.6.dfsg.1-3ubuntu3

---------------
php5 (5.2.6.dfsg.1-3ubuntu3) jaunty; urgency=low

  * debian/patches/fix-segfault-in-openssl.patch: Fixes sigsegv
    when using openssl_x509_parse (LP: #351730)

 -- Chuck Short <email address hidden> Mon, 30 Mar 2009 15:34:17 -0400

Changed in php5:
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.