Debian Bug report logs -
#576147
memory corruption in PHP
Reported by: Toni Mueller <support@oeko.net>
Date: Thu, 1 Apr 2010 08:12:08 UTC
Severity: normal
Found in version php5/5.2.6.dfsg.1-1+lenny8
Fixed in version 5.3.3-7
Done: Ondřej Surý <ondrej@sury.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#576147; Package php5-cgi.
(Thu, 01 Apr 2010 08:12:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Toni Mueller <support@oeko.net>:
New Bug report received and forwarded. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(Thu, 01 Apr 2010 08:12:11 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: php5-cgi
Version: 5.2.6.dfsg.1-1+lenny8
Severity: normal
Hi,
I've written to the TYPO3 folks in order to get the problem described
below fixed, but they say I should turn to you instead. FWIW, I'm
running a pretty vanilla TYPO3 4.2.12 from upstream's source code,
along with some add-ons that the customer implemented (but I don't know
which, some are his creation).
On Thu, 01.04.2010 at 05:20:39 +0200, TYPO3 Security Team <security@typo3.org> wrote:
> Toni Mueller <support@oeko.net> wrote:
> > I forgot to send another error message that makes me feel uneasy. So
> > here goes:
> > > Mar 23 14:19:29 debian suhosin[15099]: ALERT - canary mismatch on efree() - heap overflow detected (attacker '80.142.175.180', file '/webserverroot/typo3_src-4.2.12/t3lib/class.t3lib_htmlmail.php', line 718)
>
> According to a blog post [1] this is caused by a memory corruption of PHP or
> one of its extension. This is not related to TYPO3 Security.
>
> > Mar 29 13:15:47 debian suhosin[11070]: ALERT - linked list corrupt on efree ()
> > - heap corruption detected (attacker '88.116.33.10', file
> > '/webserverroot/www.example.com/index.php')
>
> This again seems to be a bug in PHP or its extension (memory related). This is
> not related to any kind of TYPO3 attack.
> Both "events" seem to be unable to trigger by intention from remote - so
> there's no real "attacker".
>
> These bugs aren't causes by or able to mitigate by TYPO3 source code.
>
> To fix these bugs, you have to use bug infrastructure of your OS distributor!
It would be great if someone could fix the problem, and/or backport PHP
5.2.13 to Lenny. If you want to discuss the issue with the TYPO3 folks,
their ticket number for this issue is [Ticket#2010033110000014].
I leave the severity as "normal" because the TYPO3 folks claim that the
error occurs at random, and cannot be provoked by a user, and that this
is not really a security problem (see [1] for details), although I'm
not quite sure about that because there are only exactly these two
locations where the error occurs, often several times a day.
Kind regards,
--Toni++
[1] http://www.suspekt.org/2008/10/12/suhosin-canary-mismatch-on-efree-heap-overflow-detected/
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#576147; Package php5-cgi.
(Fri, 30 Apr 2010 10:06:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Stucki <michael@typo3.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
Your message did not contain a Subject field. They are recommended and
useful because the title of a $gBug is determined using this field.
Please remember to include a Subject field in your messages in future.
(Fri, 30 Apr 2010 10:06:07 GMT) (full text, mbox, link).
Message #10 received at 576147@bugs.debian.org (full text, mbox, reply):
Interestingly I'm having exactly the same problem like Toni. Same TYPO3
version, same line, same error.
The error log says:
| [Fri Apr 30 09:51:07 2010] [error] [client xx.xx.xx.xx] ALERT - canary
| mismatch on efree() - heap overflow detected (attacker 'xx.xx.xx.xx',
| file '/var/www/typo3_src-4.2/t3lib/class.t3lib_htmlmail.php', line
| 718), referer: http://abc.com/
This very line calls ini_set to update the "sendmail_from" property:
| ini_set('sendmail_from', $tmpVal);
I see nothing special with this, $tmpVal is just the regular email address.
Also note that it sometimes works. It's probably 1/3 of all attempts
which fail, so it is just partly reproducable...
It seems like I'm able to isolate the problem by adding nothing but this
line into an empty script:
<?php
ini_set(sendmail_from('info@myhost.com');
?>
So there must be something wrong with ini_set trying to overwrite
sendmail_from.
Note that in php.ini, the sendmail_from as well as the sendmail_path
properties are both no set (commented out).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#576147; Package php5-cgi.
(Wed, 25 Aug 2010 23:42:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Bill Blough <bblough@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(Wed, 25 Aug 2010 23:42:04 GMT) (full text, mbox, link).
Message #15 received at 576147@bugs.debian.org (full text, mbox, reply):
I'm seeing the same error, however I'm not running TYPO3, but rather a
script developed in-house at my company.
The error message also refers to a line that is nothing more than
ini_set("sendmail_from", $email_addr);
This is under libapache2-mod-php5 5.2.6.dfsg.1-1+lenny8
Reply sent
to Ondřej Surý <ondrej@sury.org>:
You have taken responsibility.
(Wed, 27 Apr 2011 08:34:26 GMT) (full text, mbox, link).
Notification sent
to Toni Mueller <support@oeko.net>:
Bug acknowledged by developer.
(Wed, 27 Apr 2011 08:34:27 GMT) (full text, mbox, link).
Message #20 received at 576147-done@bugs.debian.org (full text, mbox, reply):
Version: 5.3.3-7
Hi,
since lenny is oldstable it will not get any updates now (except
security)[1], I am closing all segfault bugs filled against php5 in
lenny. (This is kind of saying that we don't care much about php5 in
lenny anymore).
If you believe the bug is still there, please provide evidence[2] and
a (preferably complete) test case with up-to-date squeeze (and/or
testing or unstable) version of php5 and reopen the bug.
O.
1. http://wiki.debian.org/PHP#Notes_on_PHP_and_security
2. Install php5-dbg and provide backtrace:
http://bugs.php.net/bugs-generating-backtrace.php
--
Ondřej Surý <ondrej@sury.org>
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 26 May 2011 07:35:44 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sun Jul 2 01:10:57 2023;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.