Ubuntu
php5 package

php 5.3.10 openssl_encrypt empty data

Bug #1099793 reported by Szuts Attila on 2013-01-15

260

This bug affects 1 person

	Status	Importance	Assigned to
php5 (Ubuntu)	Fix Released	Undecided	Unassigned
Precise	Fix Released	Medium	Marc Deslauriers
Quantal	Fix Released	Undecided	Unassigned
Raring	Fix Released	Undecided	Unassigned

Bug Description

$>lsb_release -rd
Description: Ubuntu 12.04.1 LTS
Release: 12.04

$>apt-cache policy php5
php5:
  Telepítve: 5.3.10-1ubuntu3.4
  Jelölt: 5.3.10-1ubuntu3.4
  Verziótáblázat:
*** 5.3.10-1ubuntu3.4 0
        500 http://hu.archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu/ precise-security/main amd64 Packages
        100 /var/lib/dpkg/status
     5.3.10-1ubuntu3 0
        500 http://hu.archive.ubuntu.com/ubuntu/ precise/main amd64 Packages

My libssl version:
libssl1.0.0:
  Telepítve: 1.0.1-4ubuntu5.5
  Jelölt: 1.0.1-4ubuntu5.5
  Verziótáblázat:
*** 1.0.1-4ubuntu5.5 0
        500 http://hu.archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     1.0.1-4ubuntu5.3 0
        500 http://security.ubuntu.com/ubuntu/ precise-security/main amd64 Packages
     1.0.1-4ubuntu3 0
        500 http://hu.archive.ubuntu.com/ubuntu/ precise/main amd64 Packages

EXPECTED:
If you run test.php (attached ) in command line or as Apache module the expected output is binary data smaller than 40byte.

BUG:
On my system it outputs 32kbyte, and contains memory dump, PHP source code, PHP variable values etc.
It looks like similar to a buffer overrun/flow.

I've downloaded PHP5.3.10 source code. Could the following cause it?

php5-5.3.10/ext/openssl/openssl.c line 4716:
if (data_len > 0) {
EVP_EncryptUpdate(&cipher_ctx, outbuf, &i, (unsigned char *)data, data_len);
}

If data IS nothing (empty), it does not call EVP_EncryptUpdate() function.

Related branches

lp:ubuntu/precise-security/php5

CVE References

2012-6113

Revision history for this message

Szuts Attila (attb2) wrote on 2013-01-15:

run: php test.php Edit (657 bytes, application/x-httpd-php)

Revision history for this message

Robie Basak (racb) wrote on 2013-01-15:

Thanks for taking the time to report this bug and helping to make Ubuntu better.

It seems likely that this could be an upstream bug. I think suitable next steps are to try to reproduce with PHP built directly from upstream (not from packaging), both 5.3.10 and the latest version to see if this bug occurs upstream and if so whether it has been fixed already.

Are you able to do this, please?

Changed in php5 (Ubuntu):
importance:	Undecided → Medium

Revision history for this message

Szuts Attila (attb2) wrote on 2013-01-15:

Bad news: I am trying to complie PHP 5.3.10 on my 12.04 LTS but doesn't work. :-(
$>apt-get source php5
$>cd php5-5.3.10
$>./configure --with-openssl
$>make

/bin/sh /tmp/php5-5.3.10/libtool --silent --preserve-dup-deps --mode=compile gcc -Iext/date/lib -Iext/date/ -I/tmp/php5-5.3.10/ext/date/ -DPHP_ATOM_INC -I/tmp/php5-5.3.10/include -I/tmp/php5-5.3.10/main -I/tmp/php5-5.3.10 -I/tmp/php5-5.3.10/ext/date/lib -I/tmp/php5-5.3.10/ext/ereg/regex -I/usr/include/libxml2 -I/tmp/php5-5.3.10/ext/sqlite3/libsqlite -I/tmp/php5-5.3.10/TSRM -I/tmp/php5-5.3.10/Zend -I/usr/include -g -O2 -fvisibility=hidden -c /tmp/php5-5.3.10/ext/date/php_date.c -o ext/date/php_date.lo
/tmp/php5-5.3.10/libtool: 481: /tmp/php5-5.3.10/libtool: CDPATH: not found
libtool: Version mismatch error. This is libtool 2.4 Debian-2.4-2ubuntu1, but the
libtool: definition of this LT_INIT comes from an older release.
libtool: You should recreate aclocal.m4 with macros from libtool 2.4 Debian-2.4-2ubuntu1
libtool: and run autoconf again.
make: *** [ext/date/php_date.lo] Error 63

I'm not familiar with libtool...
Can anyone build (compile) PHP 5.3.10 source on Precise?

Revision history for this message

Szuts Attila (attb2) wrote on 2013-01-15:

I have successfully built PHP 5.4.10 (latest version from http://php.net) on 12.04. This PHP version is not affected by the bug. :-)
Could anyone confirm the bug on stock ubuntu 12.04 system?

Revision history for this message

Robie Basak (racb) wrote on 2013-01-15:

php5.debdiff Edit (1.7 KiB, text/plain)

Confirmed, and I've found the fix. This is https://bugs.php.net/bug.php?id=61413 fixed in http://git.php.net/?p=php-src.git;a=commit;h=270a406ac94b5fc5cc9ef59fc61e3b4b95648a3e and released upstream in 5.3.14.

This is due to i remaining uninitialised in the case of input data of zero size.

I also think this is a security issue, since it results in the "encrypted data" containing arbitrary memory contents which could subsequently be leaked to a web user. This could contain things like a mysql password or other secrets.

The attached debdiff fixes this bug. I've tested that it builds and upgrading fixes the issue. Adding ~ubuntu-security-sponsors and removing importance for re-triaging by the security team.

Changed in php5 (Ubuntu):
importance:	Medium → Undecided
information type:	Public → Public Security

Revision history for this message

Robie Basak (racb) wrote on 2013-01-15:

php5_5.3.10-1ubuntu3.5_amd64.build Edit (10.9 MiB, application/octet-stream)

If this doesn't qualify as security issue then I think we should SRU this instead.

Build log attached from my test.

Revision history for this message

Szuts Attila (attb2) wrote on 2013-01-17:

Thanks Robie!
Is there any tutorial to build a deb package on Ubuntu? (or which command have You used to packaging?)
I want to build my own php5 deb package if nothing happens till the end of week. :-)

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2013-01-18:

Introduced in 5.3.9 by:

http://git.php.net/?p=php-src.git;a=commitdiff;h=095cbc48a8f0090f3b0abc6155f2b61943c9eafb

Fixed in 5.3.14 by:

http://git.php.net/?p=php-src.git;a=commitdiff;h=270a406ac94b5fc5cc9ef59fc61e3b4b95648a3e

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2013-01-18:

CVE requested:

http://www.openwall.com/lists/oss-security/2013/01/18/5

Robie Basak (racb) on 2013-01-18

Changed in php5 (Ubuntu):
status:	New → Triaged
importance:	Undecided → High
importance:	High → Undecided
status:	Triaged → New
no longer affects:	php5 (Debian)

Marc Deslauriers (mdeslaur) on 2013-01-18

Changed in php5 (Ubuntu Quantal):
status:	New → Fix Released
Changed in php5 (Ubuntu Raring):
status:	New → Fix Released
Changed in php5 (Ubuntu Precise):
status:	New → Confirmed
importance:	Undecided → Medium

Jamie Strandboge (jdstrand) on 2013-01-18

Changed in php5 (Ubuntu):
status:	Fix Released → Confirmed

Marc Deslauriers (mdeslaur) on 2013-01-18

Changed in php5 (Ubuntu Raring):
status:	Confirmed → Fix Released

Marc Deslauriers (mdeslaur) on 2013-01-18

Changed in php5 (Ubuntu Precise):
assignee:	nobody → Marc Deslauriers (mdeslaur)

Revision history for this message

Launchpad Janitor (janitor) wrote on 2013-01-22:

#11

This bug was fixed in the package php5 - 5.3.10-1ubuntu3.5

---------------
php5 (5.3.10-1ubuntu3.5) precise-security; urgency=low

  * SECURITY UPDATE: arbitrary memory disclosure (LP: #1099793)
    - debian/patches/CVE-2012-6113.patch: properly initialize length in
      ext/openssl/openssl.c.
    - CVE-2012-6113
-- Marc Deslauriers <email address hidden> Fri, 18 Jan 2013 09:49:22 -0500