From: Operating system: Linux PHP version: 5.3.3 Package: Dynamic loading Bug Type: Bug Bug description:dynamic loading bug related with CVE-2010-3847
Description: ------------ I'm running apache with setuid as root. When I convert string from euc-kr to utf-8 through iconv, I met next message. iconv(): Wrong charset, conversion from 'EUC-KR' to 'UTF-8' is now allowed after some google. I found solution. This problem caused by security patch on glibc ld.so dynamic linker. http://www.securityfocus.com/bid/44154 glibc-2.11 and over has patched. so you can produce same results. Test code <? $test='adasdasd'; echo iconv('euc-kr', 'utf-8', $test); ?> Here are some strace results. 1. with plain php cli binary ------------ CLIP ----------------- futex(0xb73aca8c, FUTEX_WAKE_PRIVATE, 2147483647) = 0 open("/usr/lib/gconv/EUC-KR.so", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\220\4\0\0004\0\0\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0644, st_size=13624, ...}) = 0 mmap2(NULL, 12316, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb722f000 mmap2(0xb7231000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2) = 0xb7231000 close(3) = 0 open("/usr/lib/gconv/tls/i686/sse2/cmov/libKSC.so", O_RDONLY) = -1 ENOENT (No such file or directory) stat64("/usr/lib/gconv/tls/i686/sse2/cmov", 0xbf9d912c) = -1 ENOENT (No such file or directory) open("/usr/lib/gconv/tls/i686/sse2/libKSC.so", O_RDONLY) = -1 ENOENT (No such file or directory) stat64("/usr/lib/gconv/tls/i686/sse2", 0xbf9d912c) = -1 ENOENT (No such file or directory) open("/usr/lib/gconv/tls/i686/cmov/libKSC.so", O_RDONLY) = -1 ENOENT (No such file or directory) stat64("/usr/lib/gconv/tls/i686/cmov", 0xbf9d912c) = -1 ENOENT (No such file or directory) open("/usr/lib/gconv/tls/i686/libKSC.so", O_RDONLY) = -1 ENOENT (No such file or directory) stat64("/usr/lib/gconv/tls/i686", 0xbf9d912c) = -1 ENOENT (No such file or directory) open("/usr/lib/gconv/tls/sse2/cmov/libKSC.so", O_RDONLY) = -1 ENOENT (No such file or directory) stat64("/usr/lib/gconv/tls/sse2/cmov", 0xbf9d912c) = -1 ENOENT (No such file or directory) open("/usr/lib/gconv/tls/sse2/libKSC.so", O_RDONLY) = -1 ENOENT (No such file or directory) stat64("/usr/lib/gconv/tls/sse2", 0xbf9d912c) = -1 ENOENT (No such file or directory) open("/usr/lib/gconv/tls/cmov/libKSC.so", O_RDONLY) = -1 ENOENT (No such file or directory) stat64("/usr/lib/gconv/tls/cmov", 0xbf9d912c) = -1 ENOENT (No such file or directory) open("/usr/lib/gconv/tls/libKSC.so", O_RDONLY) = -1 ENOENT (No such file or directory) stat64("/usr/lib/gconv/tls", 0xbf9d912c) = -1 ENOENT (No such file or directory) open("/usr/lib/gconv/i686/sse2/cmov/libKSC.so", O_RDONLY) = -1 ENOENT (No such file or directory) stat64("/usr/lib/gconv/i686/sse2/cmov", 0xbf9d912c) = -1 ENOENT (No such file or directory) open("/usr/lib/gconv/i686/sse2/libKSC.so", O_RDONLY) = -1 ENOENT (No such file or directory) stat64("/usr/lib/gconv/i686/sse2", 0xbf9d912c) = -1 ENOENT (No such file or directory) open("/usr/lib/gconv/i686/cmov/libKSC.so", O_RDONLY) = -1 ENOENT (No such file or directory) stat64("/usr/lib/gconv/i686/cmov", 0xbf9d912c) = -1 ENOENT (No such file or directory) open("/usr/lib/gconv/i686/libKSC.so", O_RDONLY) = -1 ENOENT (No such file or directory) stat64("/usr/lib/gconv/i686", 0xbf9d912c) = -1 ENOENT (No such file or directory) open("/usr/lib/gconv/sse2/cmov/libKSC.so", O_RDONLY) = -1 ENOENT (No such file or directory) stat64("/usr/lib/gconv/sse2/cmov", 0xbf9d912c) = -1 ENOENT (No such file or directory) open("/usr/lib/gconv/sse2/libKSC.so", O_RDONLY) = -1 ENOENT (No such file or directory) stat64("/usr/lib/gconv/sse2", 0xbf9d912c) = -1 ENOENT (No such file or directory) open("/usr/lib/gconv/cmov/libKSC.so", O_RDONLY) = -1 ENOENT (No such file or directory) stat64("/usr/lib/gconv/cmov", 0xbf9d912c) = -1 ENOENT (No such file or directory) open("/usr/lib/gconv/libKSC.so", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0 \4\0\0004\0\0\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0644, st_size=46384, ...}) = 0 mmap2(NULL, 49172, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7222000 mmap2(0xb722d000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xa) = 0xb722d000 close(3) = 0 mprotect(0xb722d000, 4096, PROT_READ) = 0 mprotect(0xb7231000, 4096, PROT_READ) = 0 ------------ CLIP ----------------- 2. with php cli binary setuided as root (run as normal user) ------------ CLIP ----------------- futex(0xb7469a8c, FUTEX_WAKE_PRIVATE, 2147483647) = 0 open("/usr/lib/gconv/EUC-KR.so", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\220\4\0\0004\0\0\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0644, st_size=13624, ...}) = 0 mmap2(NULL, 12316, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb72ec000 mmap2(0xb72ee000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2) = 0xb72ee000 close(3) = 0 open("$ORIGIN/tls/i686/sse2/cmov/libKSC.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("$ORIGIN/tls/i686/sse2/libKSC.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("$ORIGIN/tls/i686/cmov/libKSC.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("$ORIGIN/tls/i686/libKSC.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("$ORIGIN/tls/sse2/cmov/libKSC.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("$ORIGIN/tls/sse2/libKSC.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("$ORIGIN/tls/cmov/libKSC.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("$ORIGIN/tls/libKSC.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("$ORIGIN/i686/sse2/cmov/libKSC.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("$ORIGIN/i686/sse2/libKSC.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("$ORIGIN/i686/cmov/libKSC.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("$ORIGIN/i686/libKSC.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("$ORIGIN/sse2/cmov/libKSC.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("$ORIGIN/sse2/libKSC.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("$ORIGIN/cmov/libKSC.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("$ORIGIN/libKSC.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/home/betmaster/apps/mysql/lib/libKSC.so", O_RDONLY) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=16316, ...}) = 0 mmap2(NULL, 16316, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb72e8000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/libKSC.so", O_RDONLY) = -1 ENOENT (No such file or directory) ------------ CLIP ----------------- -- Edit bug report at http://bugs.php.net/bug.php?id=53275&edit=1 -- Try a snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=53275&r=trysnapshot52 Try a snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=53275&r=trysnapshot53 Try a snapshot (trunk): http://bugs.php.net/fix.php?id=53275&r=trysnapshottrunk Fixed in SVN: http://bugs.php.net/fix.php?id=53275&r=fixed Fixed in SVN and need be documented: http://bugs.php.net/fix.php?id=53275&r=needdocs Fixed in release: http://bugs.php.net/fix.php?id=53275&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=53275&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=53275&r=needscript Try newer version: http://bugs.php.net/fix.php?id=53275&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=53275&r=support Expected behavior: http://bugs.php.net/fix.php?id=53275&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=53275&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=53275&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=53275&r=globals PHP 4 support discontinued: http://bugs.php.net/fix.php?id=53275&r=php4 Daylight Savings: http://bugs.php.net/fix.php?id=53275&r=dst IIS Stability: http://bugs.php.net/fix.php?id=53275&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=53275&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=53275&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=53275&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=53275&r=mysqlcfg
