ID: 47828 Updated by: paj...@php.net Reported By: reinke at securityspace dot com Status: Closed Bug Type: OpenSSL related Operating System: Linux (Debian Lenny) PHP Version: 5.2.9 Assigned To: scottmac New Comment:
For the record here, if you use ubuntu you can follow this issue here: https://bugs.launchpad.net/bugs/351730 I also updated the test case using the one from Kees Cook as it covers more architectures (incl. the intel ones I have here, and that's nice :). Previous Comments: ------------------------------------------------------------------------ [2009-03-30 14:55:40] paj...@php.net Note that even people from Ubuntu security were not able to reproduce it (I asked them to take a look at the report). So excuse me but there were doubts about this bug, like it or not. And that's why I asked you to test with our src, you did, thanks. Also I did not ask you to do not use the distribution version of php but to use our sources to see if the bug can be reproduced. It is common practice to ask that, not only in php. ------------------------------------------------------------------------ [2009-03-30 14:43:12] reinke at securityspace dot com >>No, our official distributions channel is http://www.php.net/downloads and http://windows.php.net, nothing else. Pierre - that's wishful thinking and a pile of crock. Argue over the semantics of "official" however you wish. The reality, however, is that about 28% of all web sites with PHP are known to be using a Distro version of PHP. And of the remaining 72%, we can't even say they are using a version from your web site, only that we don't know if they are using your version, or one from a distro. Don't get me wrong - your (PHP's) fix time on this was absolutely amazing, and to repeat, we have no issue with helping out on a problem. But telling folks not to use a distro version of PHP is just not in line with reality. And for the record - every 5.2.x install we've touched on a Linux box was vulnerable. If you couldn't reproduce on Ubuntu or Debian using the concise 3 line script provided after several hours of our digging to make it easy on you, perhaps you need to have a broader range of hardware to check on. Every x86 based install WE checked on 5.2.x was vulnerable and reproduced the problem. INCLUDING your latest snapshot. Grumble - you ought to take this thread and mark it as a "how to take a customer that was willing to help find a bug that crashes your application and really piss him off." Scott - thanks for the quick fix. Above and beyond. Thomas ------------------------------------------------------------------------ [2009-03-30 09:59:49] paj...@php.net Firt, I do not care if it took 0.5 second or 3 hours. Secondly, the bug is less than a day old, we did run test and it did not crash on all platforms I can test (windows, ubuntu x64/x86 and debian). So not it was not obvious that there was a real bug in the current code. And finally, you can't know if a) there is already a patch or a fix and b) what's the status, simply because you did not bother to ask. There is no problem to take over any bug as long as you simply ask before. It will save us time and pains (as in this kind of discussions, which happen only with you). Thanks for your understanding and your work. ------------------------------------------------------------------------ [2009-03-30 09:24:43] scott...@php.net Pierre using the test given by the reporter I could reproduce this, took less than a minute to find the issue. Assigning yourself a bug that you'll look at next week isn't all that useful, especially if someone with more time comes along in that next week. Perhaps we need to add multiple assignment to bugs? FYI OpenSSL verions OpenSSL 0.9.7l 28 Sep 2006 (OS X default) OpenSSL 0.9.8j 07 Jan 2009 ------------------------------------------------------------------------ [2009-03-30 06:00:06] paj...@php.net "With all due respect - we are using PHP's official release. On Debian. As provided by the distro. On Ubuntu. As provided by Ubuntu. On Fedora. As provided by... well, you get it. Like it or not, these vendors are your distribution channel" No, our official distributions channel is http://www.php.net/downloads and http://windows.php.net, nothing else. Distributions, in their majority, do a great job at distributing php but they are not our official releases channel, especially not when they use unofficial patches like suhosin or other random changes. The reason we ask to try PHP's version is to be sure about the src of the problem, we have no control over what the distros do or don't. ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/47828 -- Edit this bug report at http://bugs.php.net/?id=47828&edit=1
