#47828 [Fbk]: Seg Fault in openssl_x509_parse

pajoye Sun, 29 Mar 2009 10:20:27 -0700

 ID:               47828
 Updated by:       [email protected]
 Reported By:      reinke at securityspace dot com
 Status:           Feedback
-Bug Type:         Reproducible crash
+Bug Type:         OpenSSL related
 Operating System: Linux (Debian Lenny)
 PHP Version:      5.2.9
 Assigned To:      pajoye
 New Comment:


Can't reproduce on Ubuntu 8.10, windows or latest debian (using PHP
sources).

I would suggest to first see if you have the latest openssl (openssl
debian's package contains the latest fixes) install.


Previous Comments:
------------------------------------------------------------------------

[2009-03-29 16:09:50] [email protected]

Please try using our official releases, not the patched PHP from
Debian. 

I will also test your csr later this week.

------------------------------------------------------------------------

[2009-03-29 16:02:30] reinke at securityspace dot com

Description:
------------
A user calling openssl_x509_parse is able to induce a segfault
by passing in specific data. In this case, the data is a certificate
found on a public SSL site.

Command line version of PHP is used in latest Debian (Lenny),
php -v reports: (Contrary to your form - I'm guessing Lenny is
up to 5.2.9 with the patch line as shown below)

PHP 5.2.6-1+lenny2 with Suhosin-Patch 0.9.6.2 (cli) (built: Jan 26 2009
22:41:04)

PHP script that reproduces the problem is included below.

This certificate is one of more than half a million.  Only this 
certificate caused the coredump.  Older (_much_ older - PHP 4.4.1)
version of PHP did not exhibit this problem.

In all fairness, it's not clear to me at this point that the problem
is in PHP - it's looking highly possible to be in the underlying
libraries.

Reproduce code:
---------------
<?
        $certnl = "-----BEGIN
CERTIFICATE-----\nMIIEKzCCAxOgAwIBAgICAtUwDQYJKoZIhvcNAQEFBQAwgewxFjAUBgNVBC0DDQBT\nUFI5NjEyMTdOSzkxETAPBgNVBAcTCENveW9hY+FuMQswCQYDVQQIEwJERjELMAkG\nA1UEBhMCTVgxDjAMBgNVBBETBTA0MDAwMR8wHQYDVQQJExZQYW56YWNvbGEgIzYy\nIDFlciBwaXNvMSgwJgYDVQQDEx9BdXRvcmlkYWQgY2VydGlmaWNhZG9yYSBJbnRl\ncm5hMRMwEQYDVQQLEwpUZWNub2xvZ+1hMRMwEQYDVQQKEwpTZWd1cmlEYXRhMSAw\nHgYJKoZIhvcNAQkBFhFhY0BzZWd1cmlkYXRhLmNvbTAeFw0wNzAyMTIwMDAwMDBa\nFw0xMjAyMjkwMDAwMDBaMIIBDDEWMBQGA1UELQMNAFNQUjk2MTIxN05LOTEXMBUG\nA1UEBxMOQWx2YXJvIE9icmVnb24xDTALBgNVBAgTBEQuRi4xCzAJBgNVBAYTAk1Y\nMQ4wDAYDVQQREwUwMTAwMDEoMCYGA1UECRMfSW5zdXJnZW50ZXMgU3VyIDIzNzUs\nIDNlci4gUGlzbzEbMBkGA1UEAxMSd3d3LnNlZ3VyaWRhdGEuY29tMREwDwYDVQQL\nEwhJbnRlcm5ldDEpMCcGA1UEChMgU2VndXJpRGF0YSBQcml2YWRhLCBTLkEuIGRl\nIEMuVi4xKDAmBgkqhkiG9w0BCQEWGXBvc3RtYXN0ZXJAc2VndXJpZGF0YS5jb20w\ngZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANG/rb52Ou//dnkHysR5m7T4r8QM\nKOM/CP0OEXTOC+a+47RsZjqNiZsBkSeR92OFPpkw5bJ85IAD/Tgx7Tli3ryJfrdk\nWMfkXpzWW0YmeTrghL0DMNd8nYc9voVv+OGnIZ0W4Mhz31e!
 
iThmyy7Fs8ZlFyfkR\nREj5OQvq+z+NP/n/AgMBAAGjODA2MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1Ud\nDwQFAwMH6AAwEQYJYIZIAYb4QgEBBAQDAgBAMA0GCSqGSIb3DQEBBQUAA4IBAQCq\nnBqQEb7H6Gxi4KXBn1lrPd5KWO40iSD7BREU8e0eI1ZLZvi4IEAlmyG81Le037jo\nirMUDS2Ue5WI61QnGw4LhnYlCIuffU7fTs+UbrOE4qNU67G+XBfjk0gHkXHmEYbb\nEOR9OHeDcYFgcl3j4SLg/ff6oRYbMkQRCrgQzrl/MNkuqDWJrcigS9OD6OTgRyEo\n7Zvf7/ofWIzTIvINbfjQzSTr8AbI4SbuU9iKgVGDQQF6cfpBmOYgnr3QPuoTQCoU\npz9H9wBlz/Nmw12YtfCmGqpIFAxpRGFQTGPNJWr4FdZkUM792lm7Sf3zzSvi8Ruz\nM3dwifRsZyZyruy4tMsu\n-----END
CERTIFICATE-----\n";
        $cert = str_replace("\\n", "\n", $certnl);
        $arr = openssl_x509_parse($cert);
?>


Expected result:
----------------
Not see a segmentation fault.

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb77946d0 (LWP 10516)]
0xb7985c1c in memcpy () from /lib/i686/cmov/libc.so.6
(gdb) bt
#0  0xb7985c1c in memcpy () from /lib/i686/cmov/libc.so.6
#1  0x082b7571 in _estrndup ()
#2  0x082d8245 in add_next_index_stringl ()
#3  0x0809d6d0 in ?? ()
#4  0x08fea7c0 in ?? ()
#5  0xb7f332e0 in ?? () from /lib/ld-linux.so.2
#6  0xb77bab48 in ?? ()
#7  0x00000001 in ?? ()
#8  0x00000001 in ?? ()
#9  0xbfc385c4 in ?? ()
#10 0x08fea7c0 in ?? ()
#11 0x083587c3 in ?? ()
#12 0x08fe93b4 in ?? ()
#13 0x00000001 in ?? ()
#14 0xb78da3e8 in ?? () from /usr/lib/i686/cmov/libcrypto.so.0.9.8
#15 0x0901e9a8 in ?? ()
#16 0x0901ee20 in ?? ()
#17 0xffffffff in ?? ()
#18 0x00000001 in ?? ()
#19 0xbfc38758 in ?? ()
#20 0xb7f332e0 in ?? () from /lib/ld-linux.so.2
#21 0x0809d947 in zif_openssl_x509_parse ()
Backtrace stopped: frame did not save the PC



------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=47828&edit=1

#47828 [Fbk]: Seg Fault in openssl_x509_parse

Reply via email to