Debian Bug report logs - #609315
php5: Upstream bug CVE-2010-4645 / bug #53632, critical: conversion string>double might hang PHP interpreter

version graph

Package: php5; Maintainer for php5 is Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>; Source for php5 is src:php5.

Reported by: Jort Koopmans <jort.koopmans@gmail.com>

Date: Sat, 8 Jan 2011 13:39:02 UTC

Severity: grave

Tags: moreinfo, security

Found in versions php5/5.3.3-1, php5/5.3.3-6

Fixed in versions php5/5.3.3-7, 5.3.3-7

Done: Julien Cristau <jcristau@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#609315; Package php5. (Sat, 08 Jan 2011 13:39:04 GMT) Full text and rfc822 format available.
Acknowledgement sent to Jort Koopmans <jort.koopmans@gmail.com>:
New Bug report received and forwarded. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Sat, 08 Jan 2011 13:39:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Jort Koopmans <jort.koopmans@gmail.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: php5: Upstream bug CVE-2010-4645 / bug #53632, critical: conversion string>double might hang PHP interpreter
Date: Sat, 08 Jan 2011 14:26:50 +0100
Package: php5
Version: 5.2.6.dfsg.1-1+lenny9
Severity: critical


>From upstream; http://bugs.php.net/bug.php?id=53632
followed by release 5.3.5 and 5.2.17: 
http://www.php.net/archive/2011.php#id2011-01-06-1

Short description;

Conversions from string to double might cause the PHP interpreter to 
hang on systems using x87 FPU registers.

The problem is known to only affect x86 32-bit PHP processes, regardless 
of whether the system hosting PHP is 32-bit or 64-bit.


-- System Information:
Debian Release: 5.0.7
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages php5 depends on:
ii  libapache2-mod-php5           5.3.3-6    server-side, HTML-embedded scripti
ii  php5-common                   5.3.3-6    Common files for packages built fr

php5 recommends no packages.

php5 suggests no packages.

-- no debconf information
Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#609315; Package php5. (Sat, 08 Jan 2011 14:27:03 GMT) Full text and rfc822 format available.
Acknowledgement sent to Jort Koopmans <jort.koopmans@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Sat, 08 Jan 2011 14:27:03 GMT) Full text and rfc822 format available.

Message #10 received at 609315@bugs.debian.org (full text, mbox, reply):

From: Jort Koopmans <jort.koopmans@gmail.com>
To: 609315@bugs.debian.org
Subject: Upstream bug CVE-2010-4645 / bug #53632, critical: conversion string>double might hang PHP interpreter
Date: Sat, 08 Jan 2011 15:23:44 +0100
Update:

My x64 testsystem running php5.2.6dfsg.1-1+lenny9 does not seem to be
affected when using this script from CLI:
http://www.php.net/distributions/test_bug53632.txt

but php -v shows:

/# php -v
PHP 5.3.3-6 with Suhosin-Patch (cli) (built: Dec  7 2010 12:47:03) 
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
    with Suhosin v0.9.32.1, Copyright (c) 2007-2010, by SektionEins GmbH

while phpinfo displays 5.2.6

so probably this testsystem is no good for reproducing the bug since its
no vanilla install, and also a x64 build (which seems unaffected).
Bug Marked as fixed in versions php5/5.3.3-7. Request was from Ondřej Surý <ondrej@sury.org> to control@bugs.debian.org. (Sat, 08 Jan 2011 14:33:02 GMT) Full text and rfc822 format available.
Added tag(s) security. Request was from Ondřej Surý <ondrej@sury.org> to control@bugs.debian.org. (Sat, 08 Jan 2011 14:33:03 GMT) Full text and rfc822 format available.
Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#609315; Package php5. (Sat, 08 Jan 2011 15:33:05 GMT) Full text and rfc822 format available.
Acknowledgement sent to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Sat, 08 Jan 2011 15:33:05 GMT) Full text and rfc822 format available.

Message #19 received at 609315@bugs.debian.org (full text, mbox, reply):

From: Julien Cristau <jcristau@debian.org>
To: Jort Koopmans <jort.koopmans@gmail.com>, 609315@bugs.debian.org
Subject: Re: Bug#609315: php5: Upstream bug CVE-2010-4645 / bug #53632, critical: conversion string>double might hang PHP interpreter
Date: Sat, 8 Jan 2011 16:31:58 +0100
[Message part 1 (text/plain, inline)]
tag 609315 moreinfo
severity 609315 grave
kthxbye

On Sat, Jan  8, 2011 at 14:26:50 +0100, Jort Koopmans wrote:

> Package: php5
> Version: 5.2.6.dfsg.1-1+lenny9
> Severity: critical
> 
> 
> >From upstream; http://bugs.php.net/bug.php?id=53632
> followed by release 5.3.5 and 5.2.17: 
> http://www.php.net/archive/2011.php#id2011-01-06-1
> 
> Short description;
> 
> Conversions from string to double might cause the PHP interpreter to 
> hang on systems using x87 FPU registers.
> 
> The problem is known to only affect x86 32-bit PHP processes, regardless 
> of whether the system hosting PHP is 32-bit or 64-bit.
> 
Did you actually reproduce this with php 5.2.6.dfsg.1-1+lenny9?  AFAIK
people tried and couldn't.

Cheers,
Julien

[signature.asc (application/pgp-signature, inline)]
Added tag(s) moreinfo. Request was from Julien Cristau <jcristau@debian.org> to control@bugs.debian.org. (Sat, 08 Jan 2011 15:33:11 GMT) Full text and rfc822 format available.
Severity set to 'grave' from 'critical' Request was from Julien Cristau <jcristau@debian.org> to control@bugs.debian.org. (Sat, 08 Jan 2011 15:33:12 GMT) Full text and rfc822 format available.
Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#609315; Package php5. (Sat, 08 Jan 2011 16:54:03 GMT) Full text and rfc822 format available.
Acknowledgement sent to Jort Koopmans <jort.koopmans@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Sat, 08 Jan 2011 16:54:03 GMT) Full text and rfc822 format available.

Message #28 received at 609315@bugs.debian.org (full text, mbox, reply):

From: Jort Koopmans <jort.koopmans@gmail.com>
To: 609315@bugs.debian.org
Subject: Re: Bug#609315: php5: Upstream bug CVE-2010-4645 / bug #53632, critical: conversion string>double might hang PHP interpreter
Date: Sat, 08 Jan 2011 17:51:43 +0100
On Sat, 2011-01-08 at 16:31 +0100, Julien Cristau wrote:
[..]
> Did you actually reproduce this with php 5.2.6.dfsg.1-1+lenny9?  AFAIK
> people tried and couldn't.

As mentioned in my update I couldnt reproduce it, but the 64bit build of
php5 seems unaffected, so maybe users with a 32bit install should test
it? If I understand the upstream buginfo correctly, both lenny and
squeeze current releases (32bit) should be vulnerable to this bug. I'd
recommend getting in touch with the people from PHP (Pajoye).

Cheers,
Jort
Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#609315; Package php5. (Sat, 08 Jan 2011 17:24:05 GMT) Full text and rfc822 format available.
Acknowledgement sent to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Sat, 08 Jan 2011 17:24:05 GMT) Full text and rfc822 format available.

Message #33 received at 609315@bugs.debian.org (full text, mbox, reply):

From: Julien Cristau <jcristau@debian.org>
To: Jort Koopmans <jort.koopmans@gmail.com>, 609315@bugs.debian.org
Subject: Re: Bug#609315: php5: Upstream bug CVE-2010-4645 / bug #53632, critical: conversion string>double might hang PHP interpreter
Date: Sat, 8 Jan 2011 18:21:55 +0100
[Message part 1 (text/plain, inline)]
On Sat, Jan  8, 2011 at 17:51:43 +0100, Jort Koopmans wrote:

> On Sat, 2011-01-08 at 16:31 +0100, Julien Cristau wrote:
> [..]
> > Did you actually reproduce this with php 5.2.6.dfsg.1-1+lenny9?  AFAIK
> > people tried and couldn't.
> 
> As mentioned in my update I couldnt reproduce it, but the 64bit build of
> php5 seems unaffected, so maybe users with a 32bit install should test
> it? If I understand the upstream buginfo correctly, both lenny and
> squeeze current releases (32bit) should be vulnerable to this bug. I'd
> recommend getting in touch with the people from PHP (Pajoye).
> 
As I said, people tested and couldn't reproduce the issue on 32bit
lenny.

Cheers,
Julien

[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#609315; Package php5. (Sat, 08 Jan 2011 17:27:08 GMT) Full text and rfc822 format available.
Acknowledgement sent to Raphael Geissert <geissert@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Sat, 08 Jan 2011 17:27:08 GMT) Full text and rfc822 format available.

Message #38 received at 609315@bugs.debian.org (full text, mbox, reply):

From: Raphael Geissert <geissert@debian.org>
To: Jort Koopmans <jort.koopmans@gmail.com>, 609315@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: [php-maint] Bug#609315: php5: Upstream bug CVE-2010-4645 / bug #53632, critical: conversion string>double might hang PHP interpreter
Date: Sat, 8 Jan 2011 11:24:36 -0600
notfound 609315 5.2.6.dfsg.1-1+lenny9
found 609315 5.3.3-1
thanks

On 8 January 2011 10:51, Jort Koopmans <jort.koopmans@gmail.com> wrote:
> On Sat, 2011-01-08 at 16:31 +0100, Julien Cristau wrote:
> [..]
>> Did you actually reproduce this with php 5.2.6.dfsg.1-1+lenny9?  AFAIK
>> people tried and couldn't.
>
> As mentioned in my update I couldnt reproduce it, but the 64bit build of
> php5 seems unaffected, so maybe users with a 32bit install should test
> it? If I understand the upstream buginfo correctly, both lenny and
> squeeze current releases (32bit) should be vulnerable to this bug. I'd
> recommend getting in touch with the people from PHP (Pajoye).

It can not be reproduced in lenny. The only indication I have for now
as to why it can't be reproduced is because the version of gcc in
lenny doesn't optimise zend_strotod by making use of the x87 unit in a
way that would make it hang.

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
Bug No longer marked as found in versions php5/5.2.6.dfsg.1-1+lenny9. Request was from Raphael Geissert <geissert@debian.org> to control@bugs.debian.org. (Sat, 08 Jan 2011 17:27:11 GMT) Full text and rfc822 format available.
Bug Marked as found in versions php5/5.3.3-1. Request was from Raphael Geissert <geissert@debian.org> to control@bugs.debian.org. (Sat, 08 Jan 2011 17:27:12 GMT) Full text and rfc822 format available.
Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#609315; Package php5. (Sat, 08 Jan 2011 17:45:03 GMT) Full text and rfc822 format available.
Acknowledgement sent to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Sat, 08 Jan 2011 17:45:03 GMT) Full text and rfc822 format available.

Message #47 received at submit@bugs.debian.org (full text, mbox, reply):

From: Julien Cristau <jcristau@debian.org>
To: Jort Koopmans <jort.koopmans@gmail.com>, 609315-done@bugs.debian.org
Cc: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Re: Bug#609315: php5: Upstream bug CVE-2010-4645 / bug #53632, critical: conversion string>double might hang PHP interpreter
Date: Sat, 8 Jan 2011 18:41:27 +0100
[Message part 1 (text/plain, inline)]
Version: 5.3.3-7

On Sat, Jan  8, 2011 at 14:26:50 +0100, Jort Koopmans wrote:

> >From upstream; http://bugs.php.net/bug.php?id=53632
> followed by release 5.3.5 and 5.2.17: 
> http://www.php.net/archive/2011.php#id2011-01-06-1
> 
> Short description;
> 
> Conversions from string to double might cause the PHP interpreter to 
> hang on systems using x87 FPU registers.
> 
> The problem is known to only affect x86 32-bit PHP processes, regardless 
> of whether the system hosting PHP is 32-bit or 64-bit.
> 
Marking as fixed in squeeze/sid.

Cheers,
Julien

[signature.asc (application/pgp-signature, inline)]
Reply sent to Julien Cristau <jcristau@debian.org>:
You have taken responsibility. (Sat, 08 Jan 2011 17:45:07 GMT) Full text and rfc822 format available.
Notification sent to Jort Koopmans <jort.koopmans@gmail.com>:
Bug acknowledged by developer. (Sat, 08 Jan 2011 17:45:07 GMT) Full text and rfc822 format available.
Bug Marked as found in versions php5/5.3.3-6. Request was from Ondřej Surý <ondrej@debian.org> to control@bugs.debian.org. (Sun, 09 Jan 2011 10:36:03 GMT) Full text and rfc822 format available.
Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 07 Feb 2011 07:41:57 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jan 6 20:59:49 2016; Machine Name: buxtehude

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.