double might hang PHP interpreter

Package: php5; Maintainer for php5 is (unknown);

Reported by: Jort Koopmans <jort.koopmans@gmail.com>

Date: Sat, 8 Jan 2011 13:39:02 UTC

Severity: grave

Tags: moreinfo, security

Found in versions php5/5.3.3-1, php5/5.3.3-6

Fixed in versions php5/5.3.3-7, 5.3.3-7

Done: Julien Cristau <jcristau@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#609315; Package php5. (Sat, 08 Jan 2011 13:39:04 GMT) (full text, mbox, link).

Acknowledgement sent to Jort Koopmans <jort.koopmans@gmail.com>:
New Bug report received and forwarded. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Sat, 08 Jan 2011 13:39:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: php5
Version: 5.2.6.dfsg.1-1+lenny9
Severity: critical


>From upstream; http://bugs.php.net/bug.php?id=53632
followed by release 5.3.5 and 5.2.17: 
http://www.php.net/archive/2011.php#id2011-01-06-1

Short description;

Conversions from string to double might cause the PHP interpreter to 
hang on systems using x87 FPU registers.

The problem is known to only affect x86 32-bit PHP processes, regardless 
of whether the system hosting PHP is 32-bit or 64-bit.


-- System Information:
Debian Release: 5.0.7
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages php5 depends on:
ii  libapache2-mod-php5           5.3.3-6    server-side, HTML-embedded scripti
ii  php5-common                   5.3.3-6    Common files for packages built fr

php5 recommends no packages.

php5 suggests no packages.

-- no debconf information

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#609315; Package php5. (Sat, 08 Jan 2011 14:27:03 GMT) (full text, mbox, link).

Acknowledgement sent to Jort Koopmans <jort.koopmans@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Sat, 08 Jan 2011 14:27:03 GMT) (full text, mbox, link).

Message #10 received at 609315@bugs.debian.org (full text, mbox, reply):

Update:

My x64 testsystem running php5.2.6dfsg.1-1+lenny9 does not seem to be
affected when using this script from CLI:
http://www.php.net/distributions/test_bug53632.txt

but php -v shows:

/# php -v
PHP 5.3.3-6 with Suhosin-Patch (cli) (built: Dec  7 2010 12:47:03) 
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
    with Suhosin v0.9.32.1, Copyright (c) 2007-2010, by SektionEins GmbH

while phpinfo displays 5.2.6

so probably this testsystem is no good for reproducing the bug since its
no vanilla install, and also a x64 build (which seems unaffected).

Bug Marked as fixed in versions php5/5.3.3-7. Request was from Ondřej Surý <ondrej@sury.org> to control@bugs.debian.org. (Sat, 08 Jan 2011 14:33:02 GMT) (full text, mbox, link).

Added tag(s) security. Request was from Ondřej Surý <ondrej@sury.org> to control@bugs.debian.org. (Sat, 08 Jan 2011 14:33:03 GMT) (full text, mbox, link).

Acknowledgement sent to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Sat, 08 Jan 2011 15:33:05 GMT) (full text, mbox, link).

Message #19 received at 609315@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

tag 609315 moreinfo
severity 609315 grave
kthxbye

On Sat, Jan  8, 2011 at 14:26:50 +0100, Jort Koopmans wrote:

> Package: php5
> Version: 5.2.6.dfsg.1-1+lenny9
> Severity: critical
> 
> 
> >From upstream; http://bugs.php.net/bug.php?id=53632
> followed by release 5.3.5 and 5.2.17: 
> http://www.php.net/archive/2011.php#id2011-01-06-1
> 
> Short description;
> 
> Conversions from string to double might cause the PHP interpreter to 
> hang on systems using x87 FPU registers.
> 
> The problem is known to only affect x86 32-bit PHP processes, regardless 
> of whether the system hosting PHP is 32-bit or 64-bit.
> 
Did you actually reproduce this with php 5.2.6.dfsg.1-1+lenny9?  AFAIK
people tried and couldn't.

Cheers,
Julien

[signature.asc (application/pgp-signature, inline)]

Added tag(s) moreinfo. Request was from Julien Cristau <jcristau@debian.org> to control@bugs.debian.org. (Sat, 08 Jan 2011 15:33:11 GMT) (full text, mbox, link).

Severity set to 'grave' from 'critical' Request was from Julien Cristau <jcristau@debian.org> to control@bugs.debian.org. (Sat, 08 Jan 2011 15:33:12 GMT) (full text, mbox, link).

Message #28 received at 609315@bugs.debian.org (full text, mbox, reply):

On Sat, 2011-01-08 at 16:31 +0100, Julien Cristau wrote:
[..]
> Did you actually reproduce this with php 5.2.6.dfsg.1-1+lenny9?  AFAIK
> people tried and couldn't.

As mentioned in my update I couldnt reproduce it, but the 64bit build of
php5 seems unaffected, so maybe users with a 32bit install should test
it? If I understand the upstream buginfo correctly, both lenny and
squeeze current releases (32bit) should be vulnerable to this bug. I'd
recommend getting in touch with the people from PHP (Pajoye).

Cheers,
Jort

Message #33 received at 609315@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Sat, Jan  8, 2011 at 17:51:43 +0100, Jort Koopmans wrote:

> On Sat, 2011-01-08 at 16:31 +0100, Julien Cristau wrote:
> [..]
> > Did you actually reproduce this with php 5.2.6.dfsg.1-1+lenny9?  AFAIK
> > people tried and couldn't.
> 
> As mentioned in my update I couldnt reproduce it, but the 64bit build of
> php5 seems unaffected, so maybe users with a 32bit install should test
> it? If I understand the upstream buginfo correctly, both lenny and
> squeeze current releases (32bit) should be vulnerable to this bug. I'd
> recommend getting in touch with the people from PHP (Pajoye).
> 
As I said, people tested and couldn't reproduce the issue on 32bit
lenny.

Cheers,
Julien

[signature.asc (application/pgp-signature, inline)]

Acknowledgement sent to Raphael Geissert <geissert@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Sat, 08 Jan 2011 17:27:08 GMT) (full text, mbox, link).

Message #38 received at 609315@bugs.debian.org (full text, mbox, reply):

notfound 609315 5.2.6.dfsg.1-1+lenny9
found 609315 5.3.3-1
thanks

On 8 January 2011 10:51, Jort Koopmans <jort.koopmans@gmail.com> wrote:
> On Sat, 2011-01-08 at 16:31 +0100, Julien Cristau wrote:
> [..]
>> Did you actually reproduce this with php 5.2.6.dfsg.1-1+lenny9?  AFAIK
>> people tried and couldn't.
>
> As mentioned in my update I couldnt reproduce it, but the 64bit build of
> php5 seems unaffected, so maybe users with a 32bit install should test
> it? If I understand the upstream buginfo correctly, both lenny and
> squeeze current releases (32bit) should be vulnerable to this bug. I'd
> recommend getting in touch with the people from PHP (Pajoye).

It can not be reproduced in lenny. The only indication I have for now
as to why it can't be reproduced is because the version of gcc in
lenny doesn't optimise zend_strotod by making use of the x87 unit in a
way that would make it hang.

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Bug No longer marked as found in versions php5/5.2.6.dfsg.1-1+lenny9. Request was from Raphael Geissert <geissert@debian.org> to control@bugs.debian.org. (Sat, 08 Jan 2011 17:27:11 GMT) (full text, mbox, link).

Bug Marked as found in versions php5/5.3.3-1. Request was from Raphael Geissert <geissert@debian.org> to control@bugs.debian.org. (Sat, 08 Jan 2011 17:27:12 GMT) (full text, mbox, link).

Message #47 received at submit@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Version: 5.3.3-7

On Sat, Jan  8, 2011 at 14:26:50 +0100, Jort Koopmans wrote:

> >From upstream; http://bugs.php.net/bug.php?id=53632
> followed by release 5.3.5 and 5.2.17: 
> http://www.php.net/archive/2011.php#id2011-01-06-1
> 
> Short description;
> 
> Conversions from string to double might cause the PHP interpreter to 
> hang on systems using x87 FPU registers.
> 
> The problem is known to only affect x86 32-bit PHP processes, regardless 
> of whether the system hosting PHP is 32-bit or 64-bit.
> 
Marking as fixed in squeeze/sid.

Cheers,
Julien

[signature.asc (application/pgp-signature, inline)]

Reply sent to Julien Cristau <jcristau@debian.org>:
You have taken responsibility. (Sat, 08 Jan 2011 17:45:07 GMT) (full text, mbox, link).

Notification sent to Jort Koopmans <jort.koopmans@gmail.com>:
Bug acknowledged by developer. (Sat, 08 Jan 2011 17:45:07 GMT) (full text, mbox, link).

Bug Marked as found in versions php5/5.3.3-6. Request was from Ondřej Surý <ondrej@debian.org> to control@bugs.debian.org. (Sun, 09 Jan 2011 10:36:03 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 07 Feb 2011 07:41:57 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Jul 2 00:52:25 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Debian Bug report logs - #609315 php5: Upstream bug CVE-2010-4645 / bug #53632, critical: conversion string>double might hang PHP interpreter

Debian Bug report logs - #609315
php5: Upstream bug CVE-2010-4645 / bug #53632, critical: conversion string>double might hang PHP interpreter