[Bug 697181] Re: DoS: Infinite loop processing 2.2250738585072011e-308
** Branch linked: lp:ubuntu/hardy-updates/php5 ** Branch linked: lp:ubuntu/php5 ** Branch linked: lp:ubuntu/dapper-updates/php5 ** Branch linked: lp:ubuntu/maverick-security/php5 ** Branch linked: lp:ubuntu/karmic-security/php5 ** Branch linked: lp:ubuntu/lucid-security/php5 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in Ubuntu. https://bugs.launchpad.net/bugs/697181 Title: DoS: Infinite loop processing 2.2250738585072011e-308 To manage notifications about this bug go to: https://bugs.launchpad.net/php/+bug/697181/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 697181] Re: DoS: Infinite loop processing 2.2250738585072011e-308
This bug was fixed in the package php5 - 5.3.3-1ubuntu9.2 --- php5 (5.3.3-1ubuntu9.2) maverick-security; urgency=low * SECURITY UPDATE: open_basedir bypass - debian/patches/php5-CVE-2010-3436.patch: more strict checking in php_check_specific_open_basedir() - CVE-2010-3436 * SECURITY UPDATE: NULL pointer dereference crash - debian/patches/php5-CVE-2010-3709.patch: check for NULL when getting zip comment - CVE-2010-3709 * SECURITY UPDATE: memory consumption denial of service - debian/patches/php5-CVE-2010-3710.patch: check for email address longer than RFC 2821 allows - CVE-2010-3710 * SECURITY UPDATE: xml decode bypass - debian/patches/php5-CVE-2010-3870.patch: improve utf8 decoding - CVE-2010-3870 * SECURITY UPDATE: memory disclosure - debian/patches/php5-CVE-2010-4156.patch: check for excessive length in mb_strcut() - CVE-2010-4156 * SECURITY UPDATE: integer overflow can cause an application crash - debian/patches/php5-CVE-2010-4409.patch: fix invalid args in NumberFormatter::getSymbol() - CVE-2010-4409 * SECURITY UPDATE: infinite loop/denial of service when dealing with certain textual forms of MAX_FLOAT (LP: #697181) - debian/patches/php5-CVE-2010-4645.patch: treat local doubles as volatile to avoid x87 registers in zend_strtod() - CVE-2010-4645 -- Steve Beattie sbeat...@ubuntu.com Wed, 05 Jan 2011 22:45:19 -0800 ** Changed in: php5 (Ubuntu Maverick) Status: Confirmed = Fix Released ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2010-3436 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2010-3709 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2010-3710 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2010-3870 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2010-4156 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2010-4409 ** Changed in: php5 (Ubuntu Lucid) Status: Confirmed = Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in ubuntu. https://bugs.launchpad.net/bugs/697181 Title: DoS: Infinite loop processing 2.2250738585072011e-308 -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 697181] Re: DoS: Infinite loop processing 2.2250738585072011e-308
This bug was fixed in the package php5 - 5.3.2-1ubuntu4.6 --- php5 (5.3.2-1ubuntu4.6) lucid-security; urgency=low * SECURITY UPDATE: open_basedir bypass - debian/patches/php5-CVE-2010-3436.patch: more strict checking in php_check_specific_open_basedir() - CVE-2010-3436 * SECURITY UPDATE: NULL pointer dereference crash - debian/patches/php5-CVE-2010-3709.patch: check for NULL when getting zip comment - CVE-2010-3709 * SECURITY UPDATE: memory consumption denial of service - debian/patches/php5-CVE-2010-3710.patch: check for email address longer than RFC 2821 allows - CVE-2010-3710 * SECURITY UPDATE: xml decode bypass - debian/patches/php5-CVE-2010-3870.patch: improve utf8 decoding - CVE-2010-3870 * SECURITY UPDATE: integer overflow can cause an application crash - debian/patches/php5-CVE-2010-4409.patch: fix invalid args in NumberFormatter::getSymbol() - CVE-2010-4409 * SECURITY UPDATE: infinite loop/denial of service when dealing with certain textual forms of MAX_FLOAT (LP: #697181) - debian/patches/php5-CVE-2010-4645.patch: treat local doubles as volatile to avoid x87 registers in zend_strtod() - CVE-2010-4645 -- Steve Beattie sbeat...@ubuntu.com Fri, 07 Jan 2011 10:56:23 -0800 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in ubuntu. https://bugs.launchpad.net/bugs/697181 Title: DoS: Infinite loop processing 2.2250738585072011e-308 -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 697181] Re: DoS: Infinite loop processing 2.2250738585072011e-308
** Changed in: php5 (Debian) Status: Unknown = Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in ubuntu. https://bugs.launchpad.net/bugs/697181 Title: DoS: Infinite loop processing 2.2250738585072011e-308 -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 697181] Re: DoS: Infinite loop processing 2.2250738585072011e-308
** Changed in: php5 (Ubuntu Maverick) Assignee: (unassigned) = Steve Beattie (sbeattie) ** Changed in: php5 (Ubuntu Lucid) Assignee: (unassigned) = Steve Beattie (sbeattie) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in ubuntu. https://bugs.launchpad.net/bugs/697181 Title: DoS: Infinite loop processing 2.2250738585072011e-308 -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 697181] Re: DoS: Infinite loop processing 2.2250738585072011e-308
I've confirmed that marking the double variables as volatile in maverick's php causes the infinite loop not to get triggered on i386 (and think I understand why that's the case). However, attempts to reproduce the issue with php from 9.10 (karmic), 8.04 (hardy), and 6.06 (dapper) fail for no apparent reason -- the zend_strtod.c code is nearly identical between karmic and lucid's versions. Does anyone have an indication as to what's different that woul cause this issue not to be triggered on older releases? Thanks. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in ubuntu. https://bugs.launchpad.net/bugs/697181 Title: DoS: Infinite loop processing 2.2250738585072011e-308 -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 697181] Re: DoS: Infinite loop processing 2.2250738585072011e-308
Maybe it is related to some compiler flags? (e.g. it can be worked around by using -ffloat-store in CFLAGS). See http://news.ycombinator.com/item?id=2066084 for more discussion. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in ubuntu. https://bugs.launchpad.net/bugs/697181 Title: DoS: Infinite loop processing 2.2250738585072011e-308 -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 697181] Re: DoS: Infinite loop processing 2.2250738585072011e-308
** Description changed: Binary package hint: php5 Processing certain textual forms of MAX_FLOAT leads to an infinite loop/hang/DoS: php -r print 2.2250738585072011e-308; hangs indefinitely, whereas: php -r print 2.2250738585072010e-308; returns immediately. Confirmed for natty/php5-cli=5.3.3-1ubuntu11 Fixed in new upstream releases: - http://www.php.net/ChangeLog-5.php#5.3.4 - http://www.php.net/releases/5_2_17.php + http://www.php.net/ChangeLog-5.php#5.3.5 + http://www.php.net/releases/5_2_17.php -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in ubuntu. https://bugs.launchpad.net/bugs/697181 Title: DoS: Infinite loop processing 2.2250738585072011e-308 -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 697181] Re: DoS: Infinite loop processing 2.2250738585072011e-308
This bug was fixed in the package php5 - 5.3.3-1ubuntu12 --- php5 (5.3.3-1ubuntu12) natty; urgency=low * debian/patches/fix-upstream-bug53632.patch: Fix infinite loop bug (php bug #53632) (LP: #697181) -- Chuck Short zul...@ubuntu.com Fri, 07 Jan 2011 12:57:59 -0500 ** Changed in: php5 (Ubuntu Natty) Status: Confirmed = Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in ubuntu. https://bugs.launchpad.net/bugs/697181 Title: DoS: Infinite loop processing 2.2250738585072011e-308 -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 697181] Re: DoS: Infinite loop processing 2.2250738585072011e-308
And there's a patch: Fix: http://svn.php.net/viewvc?view=revisionrevision=307095 Test case: http://svn.php.net/viewvc?view=revisionrevision=307097 See: http://bugs.php.net/bug.php?id=53632 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in ubuntu. https://bugs.launchpad.net/bugs/697181 Title: DoS: Infinite loop processing 2.2250738585072011e-308 -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 697181] Re: DoS: Infinite loop processing 2.2250738585072011e-308
Confirmed in Ubuntu 10.04 lucid using: echo '?php $d = 2.2250738585072011e-308; ?' | time -p php5 which hangs. Ubuntu 8.04 hardy does not hang. ** Changed in: php5 (Ubuntu Lucid) Status: Incomplete = Confirmed -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in ubuntu. https://bugs.launchpad.net/bugs/697181 Title: DoS: Infinite loop processing 2.2250738585072011e-308 -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 697181] Re: DoS: Infinite loop processing 2.2250738585072011e-308
Confirmed on Ubuntu 10.10+ 32bit php --version PHP 5.3.3-1ubuntu9.1 with Suhosin-Patch (cli) (built: Oct 15 2010 14:17:04) Copyright (c) 1997-2009 The PHP Group Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies with Suhosin v0.9.31, Copyright (c) 2007-2010, by SektionEins GmbH see also: http://www.exploringbinary.com/php-hangs-on-numeric-value-2-2250738585072011e-308/ ** Changed in: php5 (Ubuntu) Status: New = Confirmed -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in ubuntu. https://bugs.launchpad.net/bugs/697181 Title: DoS: Infinite loop processing 2.2250738585072011e-308 -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 697181] Re: DoS: Infinite loop processing 2.2250738585072011e-308
** Also affects: php5 (Ubuntu Lucid) Importance: Undecided Status: New ** Also affects: php5 (Ubuntu Maverick) Importance: Undecided Status: New ** Also affects: php5 (Ubuntu Natty) Importance: Undecided Status: Confirmed ** Changed in: php5 (Ubuntu Maverick) Status: New = Confirmed ** Changed in: php5 (Ubuntu Lucid) Status: New = Incomplete -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in ubuntu. https://bugs.launchpad.net/bugs/697181 Title: DoS: Infinite loop processing 2.2250738585072011e-308 -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs