#47828 [Csd]: Seg Fault in openssl_x509_parse
ID: 47828 User updated by: reinke at securityspace dot com Reported By: reinke at securityspace dot com Status: Closed Bug Type: OpenSSL related Operating System: Linux (Debian Lenny) PHP Version: 5.2.9 Assigned To: scottmac New Comment: No, our official distributions channel is http://www.php.net/downloads and http://windows.php.net, nothing else. Pierre - that's wishful thinking and a pile of crock. Argue over the semantics of official however you wish. The reality, however, is that about 28% of all web sites with PHP are known to be using a Distro version of PHP. And of the remaining 72%, we can't even say they are using a version from your web site, only that we don't know if they are using your version, or one from a distro. Don't get me wrong - your (PHP's) fix time on this was absolutely amazing, and to repeat, we have no issue with helping out on a problem. But telling folks not to use a distro version of PHP is just not in line with reality. And for the record - every 5.2.x install we've touched on a Linux box was vulnerable. If you couldn't reproduce on Ubuntu or Debian using the concise 3 line script provided after several hours of our digging to make it easy on you, perhaps you need to have a broader range of hardware to check on. Every x86 based install WE checked on 5.2.x was vulnerable and reproduced the problem. INCLUDING your latest snapshot. Grumble - you ought to take this thread and mark it as a how to take a customer that was willing to help find a bug that crashes your application and really piss him off. Scott - thanks for the quick fix. Above and beyond. Thomas Previous Comments: [2009-03-30 09:59:49] paj...@php.net Firt, I do not care if it took 0.5 second or 3 hours. Secondly, the bug is less than a day old, we did run test and it did not crash on all platforms I can test (windows, ubuntu x64/x86 and debian). So not it was not obvious that there was a real bug in the current code. And finally, you can't know if a) there is already a patch or a fix and b) what's the status, simply because you did not bother to ask. There is no problem to take over any bug as long as you simply ask before. It will save us time and pains (as in this kind of discussions, which happen only with you). Thanks for your understanding and your work. [2009-03-30 09:24:43] scott...@php.net Pierre using the test given by the reporter I could reproduce this, took less than a minute to find the issue. Assigning yourself a bug that you'll look at next week isn't all that useful, especially if someone with more time comes along in that next week. Perhaps we need to add multiple assignment to bugs? FYI OpenSSL verions OpenSSL 0.9.7l 28 Sep 2006 (OS X default) OpenSSL 0.9.8j 07 Jan 2009 [2009-03-30 06:00:06] paj...@php.net With all due respect - we are using PHP's official release. On Debian. As provided by the distro. On Ubuntu. As provided by Ubuntu. On Fedora. As provided by... well, you get it. Like it or not, these vendors are your distribution channel No, our official distributions channel is http://www.php.net/downloads and http://windows.php.net, nothing else. Distributions, in their majority, do a great job at distributing php but they are not our official releases channel, especially not when they use unofficial patches like suhosin or other random changes. The reason we ask to try PHP's version is to be sure about the src of the problem, we have no control over what the distros do or don't. [2009-03-30 05:52:22] paj...@php.net Scott, that's nice but add a test please with the data you use to reproduce the segfault. [2009-03-29 23:45:51] scott...@php.net I fixed it about 10 minutes ago, the snapshot is from a few hours ago. The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/47828 -- Edit this bug report at http://bugs.php.net/?id=47828edit=1
#47828 [NEW]: Seg Fault in openssl_x509_parse
From: reinke at securityspace dot com Operating system: Linux (Debian Lenny) PHP version: 5.2.9 PHP Bug Type: Reproducible crash Bug description: Seg Fault in openssl_x509_parse Description: A user calling openssl_x509_parse is able to induce a segfault by passing in specific data. In this case, the data is a certificate found on a public SSL site. Command line version of PHP is used in latest Debian (Lenny), php -v reports: (Contrary to your form - I'm guessing Lenny is up to 5.2.9 with the patch line as shown below) PHP 5.2.6-1+lenny2 with Suhosin-Patch 0.9.6.2 (cli) (built: Jan 26 2009 22:41:04) PHP script that reproduces the problem is included below. This certificate is one of more than half a million. Only this certificate caused the coredump. Older (_much_ older - PHP 4.4.1) version of PHP did not exhibit this problem. In all fairness, it's not clear to me at this point that the problem is in PHP - it's looking highly possible to be in the underlying libraries. Reproduce code: --- ? $certnl = -BEGIN CERTIFICATE-\nMIIEKzCCAxOgAwIBAgICAtUwDQYJKoZIhvcNAQEFBQAwgewxFjAUBgNVBC0DDQBT\nUFI5NjEyMTdOSzkxETAPBgNVBAcTCENveW9hY+FuMQswCQYDVQQIEwJERjELMAkG\nA1UEBhMCTVgxDjAMBgNVBBETBTA0MDAwMR8wHQYDVQQJExZQYW56YWNvbGEgIzYy\nIDFlciBwaXNvMSgwJgYDVQQDEx9BdXRvcmlkYWQgY2VydGlmaWNhZG9yYSBJbnRl\ncm5hMRMwEQYDVQQLEwpUZWNub2xvZ+1hMRMwEQYDVQQKEwpTZWd1cmlEYXRhMSAw\nHgYJKoZIhvcNAQkBFhFhY0BzZWd1cmlkYXRhLmNvbTAeFw0wNzAyMTIwMDAwMDBa\nFw0xMjAyMjkwMDAwMDBaMIIBDDEWMBQGA1UELQMNAFNQUjk2MTIxN05LOTEXMBUG\nA1UEBxMOQWx2YXJvIE9icmVnb24xDTALBgNVBAgTBEQuRi4xCzAJBgNVBAYTAk1Y\nMQ4wDAYDVQQREwUwMTAwMDEoMCYGA1UECRMfSW5zdXJnZW50ZXMgU3VyIDIzNzUs\nIDNlci4gUGlzbzEbMBkGA1UEAxMSd3d3LnNlZ3VyaWRhdGEuY29tMREwDwYDVQQL\nEwhJbnRlcm5ldDEpMCcGA1UEChMgU2VndXJpRGF0YSBQcml2YWRhLCBTLkEuIGRl\nIEMuVi4xKDAmBgkqhkiG9w0BCQEWGXBvc3RtYXN0ZXJAc2VndXJpZGF0YS5jb20w\ngZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANG/rb52Ou//dnkHysR5m7T4r8QM\nKOM/CP0OEXTOC+a+47RsZjqNiZsBkSeR92OFPpkw5bJ85IAD/Tgx7Tli3ryJfrdk\nWMfkXpzWW0YmeTrghL0DMNd8nYc9voVv+OGnIZ0W4Mhz31e! iThmyy7Fs8ZlFyfkR\nREj5OQvq+z+NP/n/AgMBAAGjODA2MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1Ud\nDwQFAwMH6AAwEQYJYIZIAYb4QgEBBAQDAgBAMA0GCSqGSIb3DQEBBQUAA4IBAQCq\nnBqQEb7H6Gxi4KXBn1lrPd5KWO40iSD7BREU8e0eI1ZLZvi4IEAlmyG81Le037jo\nirMUDS2Ue5WI61QnGw4LhnYlCIuffU7fTs+UbrOE4qNU67G+XBfjk0gHkXHmEYbb\nEOR9OHeDcYFgcl3j4SLg/ff6oRYbMkQRCrgQzrl/MNkuqDWJrcigS9OD6OTgRyEo\n7Zvf7/ofWIzTIvINbfjQzSTr8AbI4SbuU9iKgVGDQQF6cfpBmOYgnr3QPuoTQCoU\npz9H9wBlz/Nmw12YtfCmGqpIFAxpRGFQTGPNJWr4FdZkUM792lm7Sf3zzSvi8Ruz\nM3dwifRsZyZyruy4tMsu\n-END CERTIFICATE-\n; $cert = str_replace(\\n, \n, $certnl); $arr = openssl_x509_parse($cert); ? Expected result: Not see a segmentation fault. Actual result: -- Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0xb77946d0 (LWP 10516)] 0xb7985c1c in memcpy () from /lib/i686/cmov/libc.so.6 (gdb) bt #0 0xb7985c1c in memcpy () from /lib/i686/cmov/libc.so.6 #1 0x082b7571 in _estrndup () #2 0x082d8245 in add_next_index_stringl () #3 0x0809d6d0 in ?? () #4 0x08fea7c0 in ?? () #5 0xb7f332e0 in ?? () from /lib/ld-linux.so.2 #6 0xb77bab48 in ?? () #7 0x0001 in ?? () #8 0x0001 in ?? () #9 0xbfc385c4 in ?? () #10 0x08fea7c0 in ?? () #11 0x083587c3 in ?? () #12 0x08fe93b4 in ?? () #13 0x0001 in ?? () #14 0xb78da3e8 in ?? () from /usr/lib/i686/cmov/libcrypto.so.0.9.8 #15 0x0901e9a8 in ?? () #16 0x0901ee20 in ?? () #17 0x in ?? () #18 0x0001 in ?? () #19 0xbfc38758 in ?? () #20 0xb7f332e0 in ?? () from /lib/ld-linux.so.2 #21 0x0809d947 in zif_openssl_x509_parse () Backtrace stopped: frame did not save the PC -- Edit bug report at http://bugs.php.net/?id=47828edit=1 -- Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=47828r=trysnapshot52 Try a CVS snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=47828r=trysnapshot53 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=47828r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=47828r=fixedcvs Fixed in CVS and need be documented: http://bugs.php.net/fix.php?id=47828r=needdocs Fixed in release: http://bugs.php.net/fix.php?id=47828r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=47828r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=47828r=needscript Try newer version: http://bugs.php.net/fix.php?id=47828r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=47828r=support Expected behavior: http://bugs.php.net/fix.php?id=47828r=notwrong Not enough info: http://bugs.php.net/fix.php?id=47828r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=47828r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=47828r=globals
#47828 [Fbk-Opn]: Seg Fault in openssl_x509_parse
ID: 47828 User updated by: reinke at securityspace dot com Reported By: reinke at securityspace dot com -Status: Feedback +Status: Open Bug Type: OpenSSL related Operating System: Linux (Debian Lenny) PHP Version: 5.2.9 Assigned To: pajoye New Comment: Further testing has confirmed this is reproducible on a variety of Linux distributions. Some of these have been tested with virgin (installed from ISOs, but no updates applied) configurations, some with fully up to date (all updates applied). Confirmed as reproducible: Distro PHP version - Debian 5.0 5.2.6-1+lenny2 Ubuntu 8.10 PHP 5.2.6-2ubuntu4.1 with Suhosin-Patch 0.9.6.2 Fedora Core 10 PHP 5.2.6 Slackware 12.1 PHP 5.2.5 Gentoo PHP 5.2.6-r7 (old version), 5.2.8-r2 (up to date) Debian 5.0 systems are fully up to date. Ubuntu 8.10 tested 2 setups, both seg faulted. - Setup 1: Latest PHP, ISO version of OpenSSL - Setup 2: Fully updated system Fedora Core 10 - tested both on virgin setup as well as fully up to date systems. Both setups segfaulted. Slackware - only virgin setup tested. Gentoo - 5.2.6-r7 - known out of date. 5.2.8-r2 involved a sync and rebuild of openssl and php along with a few other packages. Both seg faulted. On vulnerable systems, running openssl x509 -inform PEM -in badcert.pem -text where the signed pub key provided earlier is in badcert.pem (with \n markers appropriately changed to newline) spits out all information in the cert without any apparent problems. The Unbutu 8.10 gdb backtrace is typical of of the systems we tested (we stopped checking backtraces after Deb, Ubuntu, FC10 all produced the same thing) # gdb php snip (gdb) r core2.php snip Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0xb78088e0 (LWP 4011)] 0xb79dbb56 in memcpy () from /lib/tls/i686/cmov/libc.so.6 (gdb) bt #0 0xb79dbb56 in memcpy () from /lib/tls/i686/cmov/libc.so.6 #1 0x in ?? () #2 0x082dea85 in add_next_index_stringl () #3 0x0809df90 in ?? () #4 0x0809e23a in zif_openssl_x509_parse () #5 0x08313f23 in ?? () #6 0x082ff3bb in execute () snip If you really think our SSL packages were out of date, we can provide that info. But we're pretty sure that in situations where we said we're fully up to date, that we were. We're aware we could install PHP from sources directly from php.net, but for maintenance reasons _really_ want to use the distro's packages. ALL of the above testing was using the distro's prepackaged software. We could NOT reproduce this on: CentOS 5.1 (php 5.1.6-20.el5_2.1) RedHat 5.2 (php 5.1.6-20.el5) Previous Comments: [2009-03-29 17:20:16] paj...@php.net Can't reproduce on Ubuntu 8.10, windows or latest debian (using PHP sources). I would suggest to first see if you have the latest openssl (openssl debian's package contains the latest fixes) install. [2009-03-29 16:09:50] paj...@php.net Please try using our official releases, not the patched PHP from Debian. I will also test your csr later this week. [2009-03-29 16:02:30] reinke at securityspace dot com Description: A user calling openssl_x509_parse is able to induce a segfault by passing in specific data. In this case, the data is a certificate found on a public SSL site. Command line version of PHP is used in latest Debian (Lenny), php -v reports: (Contrary to your form - I'm guessing Lenny is up to 5.2.9 with the patch line as shown below) PHP 5.2.6-1+lenny2 with Suhosin-Patch 0.9.6.2 (cli) (built: Jan 26 2009 22:41:04) PHP script that reproduces the problem is included below. This certificate is one of more than half a million. Only this certificate caused the coredump. Older (_much_ older - PHP 4.4.1) version of PHP did not exhibit this problem. In all fairness, it's not clear to me at this point that the problem is in PHP - it's looking highly possible to be in the underlying libraries. Reproduce code: --- ? $certnl = -BEGIN CERTIFICATE-\nMIIEKzCCAxOgAwIBAgICAtUwDQYJKoZIhvcNAQEFBQAwgewxFjAUBgNVBC0DDQBT\nUFI5NjEyMTdOSzkxETAPBgNVBAcTCENveW9hY+FuMQswCQYDVQQIEwJERjELMAkG\nA1UEBhMCTVgxDjAMBgNVBBETBTA0MDAwMR8wHQYDVQQJExZQYW56YWNvbGEgIzYy\nIDFlciBwaXNvMSgwJgYDVQQDEx9BdXRvcmlkYWQgY2VydGlmaWNhZG9yYSBJbnRl\ncm5hMRMwEQYDVQQLEwpUZWNub2xvZ+1hMRMwEQYDVQQKEwpTZWd1cmlEYXRhMSAw\nHgYJKoZIhvcNAQkBFhFhY0BzZWd1cmlkYXRhLmNvbTAeFw0wNzAyMTIwMDAwMDBa\nFw0xMjAyMjkwMDAwMDBaMIIBDDEWMBQGA1UELQMNAFNQUjk2MTIxN05LOTEXMBUG\nA1UEBxMOQWx2YXJvIE9icmVnb24xDTALBgNVBAgTBEQuRi4xCzAJBgNVBAYTAk1Y\nMQ4wDAYDVQQREwUwMTAwMDEoMCYGA1UECRMfSW5zdXJnZW50ZXMgU3VyIDIzNzUs
#47828 [Opn]: Seg Fault in openssl_x509_parse
ID: 47828 User updated by: reinke at securityspace dot com Reported By: reinke at securityspace dot com Status: Open Bug Type: OpenSSL related -Operating System: Linux (Debian Lenny) +Operating System: Linux (Multiple Distributions) PHP Version: 5.2.9 Assigned To: pajoye New Comment: Updated OS' impacted. Previous Comments: [2009-03-29 21:48:55] reinke at securityspace dot com Further testing has confirmed this is reproducible on a variety of Linux distributions. Some of these have been tested with virgin (installed from ISOs, but no updates applied) configurations, some with fully up to date (all updates applied). Confirmed as reproducible: Distro PHP version - Debian 5.0 5.2.6-1+lenny2 Ubuntu 8.10 PHP 5.2.6-2ubuntu4.1 with Suhosin-Patch 0.9.6.2 Fedora Core 10 PHP 5.2.6 Slackware 12.1 PHP 5.2.5 Gentoo PHP 5.2.6-r7 (old version), 5.2.8-r2 (up to date) Debian 5.0 systems are fully up to date. Ubuntu 8.10 tested 2 setups, both seg faulted. - Setup 1: Latest PHP, ISO version of OpenSSL - Setup 2: Fully updated system Fedora Core 10 - tested both on virgin setup as well as fully up to date systems. Both setups segfaulted. Slackware - only virgin setup tested. Gentoo - 5.2.6-r7 - known out of date. 5.2.8-r2 involved a sync and rebuild of openssl and php along with a few other packages. Both seg faulted. On vulnerable systems, running openssl x509 -inform PEM -in badcert.pem -text where the signed pub key provided earlier is in badcert.pem (with \n markers appropriately changed to newline) spits out all information in the cert without any apparent problems. The Unbutu 8.10 gdb backtrace is typical of of the systems we tested (we stopped checking backtraces after Deb, Ubuntu, FC10 all produced the same thing) # gdb php snip (gdb) r core2.php snip Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0xb78088e0 (LWP 4011)] 0xb79dbb56 in memcpy () from /lib/tls/i686/cmov/libc.so.6 (gdb) bt #0 0xb79dbb56 in memcpy () from /lib/tls/i686/cmov/libc.so.6 #1 0x in ?? () #2 0x082dea85 in add_next_index_stringl () #3 0x0809df90 in ?? () #4 0x0809e23a in zif_openssl_x509_parse () #5 0x08313f23 in ?? () #6 0x082ff3bb in execute () snip If you really think our SSL packages were out of date, we can provide that info. But we're pretty sure that in situations where we said we're fully up to date, that we were. We're aware we could install PHP from sources directly from php.net, but for maintenance reasons _really_ want to use the distro's packages. ALL of the above testing was using the distro's prepackaged software. We could NOT reproduce this on: CentOS 5.1 (php 5.1.6-20.el5_2.1) RedHat 5.2 (php 5.1.6-20.el5) [2009-03-29 17:20:16] paj...@php.net Can't reproduce on Ubuntu 8.10, windows or latest debian (using PHP sources). I would suggest to first see if you have the latest openssl (openssl debian's package contains the latest fixes) install. [2009-03-29 16:09:50] paj...@php.net Please try using our official releases, not the patched PHP from Debian. I will also test your csr later this week. [2009-03-29 16:02:30] reinke at securityspace dot com Description: A user calling openssl_x509_parse is able to induce a segfault by passing in specific data. In this case, the data is a certificate found on a public SSL site. Command line version of PHP is used in latest Debian (Lenny), php -v reports: (Contrary to your form - I'm guessing Lenny is up to 5.2.9 with the patch line as shown below) PHP 5.2.6-1+lenny2 with Suhosin-Patch 0.9.6.2 (cli) (built: Jan 26 2009 22:41:04) PHP script that reproduces the problem is included below. This certificate is one of more than half a million. Only this certificate caused the coredump. Older (_much_ older - PHP 4.4.1) version of PHP did not exhibit this problem. In all fairness, it's not clear to me at this point that the problem is in PHP - it's looking highly possible to be in the underlying libraries. Reproduce code: --- ? $certnl = -BEGIN CERTIFICATE-\nMIIEKzCCAxOgAwIBAgICAtUwDQYJKoZIhvcNAQEFBQAwgewxFjAUBgNVBC0DDQBT\nUFI5NjEyMTdOSzkxETAPBgNVBAcTCENveW9hY+FuMQswCQYDVQQIEwJERjELMAkG\nA1UEBhMCTVgxDjAMBgNVBBETBTA0MDAwMR8wHQYDVQQJExZQYW56YWNvbGEgIzYy\nIDFlciBwaXNvMSgwJgYDVQQDEx9BdXRvcmlkYWQgY2VydGlmaWNhZG9yYSBJbnRl\ncm5hMRMwEQYDVQQLEwpUZWNub2xvZ+1hMRMwEQYDVQQKEwpTZWd1cmlEYXRhMSAw\nHgYJKoZIhvcNAQkBFhFhY0BzZWd1cmlkYXRhLmNvbTAeFw0wNzAyMTIwMDAwMDBa\nFw0xMjAyMjkwMDAwMDBaMIIBDDEWMBQGA1UELQMNAFNQUjk2MTIxN05LOTEXMBUG
#47828 [Opn]: Seg Fault in openssl_x509_parse
ID: 47828 User updated by: reinke at securityspace dot com Reported By: reinke at securityspace dot com Status: Open Bug Type: OpenSSL related Operating System: Linux (Debian Lenny) PHP Version: 5.2.9 Assigned To: pajoye New Comment: With all due respect - we are using PHP's official release. On Debian. As provided by the distro. On Ubuntu. As provided by Ubuntu. On Fedora. As provided by... well, you get it. Like it or not, these vendors are your distribution channel, and what they provide IS defacto your official release. Simply by virtue of the fact that most people are using that channel for getting their binary version of PHP. If you are asking us to help TEST the bug, fine - that's not a problem. If you are suggesting what I think you suggested, that is upgrading to your official off the www.php.net web site release to solve the problem, that's not happening, for a large variety of reasons. Nor will it happen for a LOT of other users, either. FWIW - on a Fedora Core 10 system, fully updated, your snapshot (php5.2-200903292030) configured and compiled with ./configure --with-openssl make reproduces the problem. Previous Comments: [2009-03-29 21:51:18] paj...@php.net Please try using this CVS snapshot: http://snaps.php.net/php5.2-latest.tar.gz For Windows: http://windows.php.net/snapshots/ [2009-03-29 21:51:04] paj...@php.net Thanks for testing all these distributions but it is not what I was asking. Please use PHP.net's sources, available in our downloads page, snapshots via cvs. See my next comment for the snapshot links. [2009-03-29 21:50:43] reinke at securityspace dot com Updated OS' impacted. [2009-03-29 21:48:55] reinke at securityspace dot com Further testing has confirmed this is reproducible on a variety of Linux distributions. Some of these have been tested with virgin (installed from ISOs, but no updates applied) configurations, some with fully up to date (all updates applied). Confirmed as reproducible: Distro PHP version - Debian 5.0 5.2.6-1+lenny2 Ubuntu 8.10 PHP 5.2.6-2ubuntu4.1 with Suhosin-Patch 0.9.6.2 Fedora Core 10 PHP 5.2.6 Slackware 12.1 PHP 5.2.5 Gentoo PHP 5.2.6-r7 (old version), 5.2.8-r2 (up to date) Debian 5.0 systems are fully up to date. Ubuntu 8.10 tested 2 setups, both seg faulted. - Setup 1: Latest PHP, ISO version of OpenSSL - Setup 2: Fully updated system Fedora Core 10 - tested both on virgin setup as well as fully up to date systems. Both setups segfaulted. Slackware - only virgin setup tested. Gentoo - 5.2.6-r7 - known out of date. 5.2.8-r2 involved a sync and rebuild of openssl and php along with a few other packages. Both seg faulted. On vulnerable systems, running openssl x509 -inform PEM -in badcert.pem -text where the signed pub key provided earlier is in badcert.pem (with \n markers appropriately changed to newline) spits out all information in the cert without any apparent problems. The Unbutu 8.10 gdb backtrace is typical of of the systems we tested (we stopped checking backtraces after Deb, Ubuntu, FC10 all produced the same thing) # gdb php snip (gdb) r core2.php snip Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0xb78088e0 (LWP 4011)] 0xb79dbb56 in memcpy () from /lib/tls/i686/cmov/libc.so.6 (gdb) bt #0 0xb79dbb56 in memcpy () from /lib/tls/i686/cmov/libc.so.6 #1 0x in ?? () #2 0x082dea85 in add_next_index_stringl () #3 0x0809df90 in ?? () #4 0x0809e23a in zif_openssl_x509_parse () #5 0x08313f23 in ?? () #6 0x082ff3bb in execute () snip If you really think our SSL packages were out of date, we can provide that info. But we're pretty sure that in situations where we said we're fully up to date, that we were. We're aware we could install PHP from sources directly from php.net, but for maintenance reasons _really_ want to use the distro's packages. ALL of the above testing was using the distro's prepackaged software. We could NOT reproduce this on: CentOS 5.1 (php 5.1.6-20.el5_2.1) RedHat 5.2 (php 5.1.6-20.el5) [2009-03-29 17:20:16] paj...@php.net Can't reproduce on Ubuntu 8.10, windows or latest debian (using PHP sources). I would suggest to first see if you have the latest openssl (openssl debian's package contains the latest fixes) install. The remainder of the comments for this report are too long. To view the rest of the comments, please view
#47828 [Csd]: Seg Fault in openssl_x509_parse
ID: 47828 User updated by: reinke at securityspace dot com Reported By: reinke at securityspace dot com Status: Closed Bug Type: OpenSSL related Operating System: Linux (Debian Lenny) PHP Version: 5.2.9 Assigned To: pajoye New Comment: Also reproduced on Lenny using snapshot php5.2-200903292230. ./configure --with-openssl make sapi/cli/php ~/core2.php - segmentation fault. Previous Comments: [2009-03-29 23:33:40] scott...@php.net This bug has been fixed in CVS. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. Thank you for the report, and for helping us make PHP better. The string tried to decode one of the items to utf-8 and it failed, this wasn't properly checked resulting in a segfault. [2009-03-29 22:29:26] reinke at securityspace dot com With all due respect - we are using PHP's official release. On Debian. As provided by the distro. On Ubuntu. As provided by Ubuntu. On Fedora. As provided by... well, you get it. Like it or not, these vendors are your distribution channel, and what they provide IS defacto your official release. Simply by virtue of the fact that most people are using that channel for getting their binary version of PHP. If you are asking us to help TEST the bug, fine - that's not a problem. If you are suggesting what I think you suggested, that is upgrading to your official off the www.php.net web site release to solve the problem, that's not happening, for a large variety of reasons. Nor will it happen for a LOT of other users, either. FWIW - on a Fedora Core 10 system, fully updated, your snapshot (php5.2-200903292030) configured and compiled with ./configure --with-openssl make reproduces the problem. [2009-03-29 21:51:18] paj...@php.net Please try using this CVS snapshot: http://snaps.php.net/php5.2-latest.tar.gz For Windows: http://windows.php.net/snapshots/ [2009-03-29 21:51:04] paj...@php.net Thanks for testing all these distributions but it is not what I was asking. Please use PHP.net's sources, available in our downloads page, snapshots via cvs. See my next comment for the snapshot links. [2009-03-29 21:50:43] reinke at securityspace dot com Updated OS' impacted. The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/47828 -- Edit this bug report at http://bugs.php.net/?id=47828edit=1