#47828 [Csd]: Seg Fault in openssl_x509_parse
ID: 47828 Updated by: paj...@php.net Reported By: reinke at securityspace dot com Status: Closed Bug Type: OpenSSL related Operating System: Linux (Debian Lenny) PHP Version: 5.2.9 Assigned To: scottmac New Comment: Firt, I do not care if it took 0.5 second or 3 hours. Secondly, the bug is less than a day old, we did run test and it did not crash on all platforms I can test (windows, ubuntu x64/x86 and debian). So not it was not obvious that there was a real bug in the current code. And finally, you can't know if a) there is already a patch or a fix and b) what's the status, simply because you did not bother to ask. There is no problem to take over any bug as long as you simply ask before. It will save us time and pains (as in this kind of discussions, which happen only with you). Thanks for your understanding and your work. Previous Comments: [2009-03-30 09:24:43] scott...@php.net Pierre using the test given by the reporter I could reproduce this, took less than a minute to find the issue. Assigning yourself a bug that you'll look at next week isn't all that useful, especially if someone with more time comes along in that next week. Perhaps we need to add multiple assignment to bugs? FYI OpenSSL verions OpenSSL 0.9.7l 28 Sep 2006 (OS X default) OpenSSL 0.9.8j 07 Jan 2009 [2009-03-30 06:00:06] paj...@php.net With all due respect - we are using PHP's official release. On Debian. As provided by the distro. On Ubuntu. As provided by Ubuntu. On Fedora. As provided by... well, you get it. Like it or not, these vendors are your distribution channel No, our official distributions channel is http://www.php.net/downloads and http://windows.php.net, nothing else. Distributions, in their majority, do a great job at distributing php but they are not our official releases channel, especially not when they use unofficial patches like suhosin or other random changes. The reason we ask to try PHP's version is to be sure about the src of the problem, we have no control over what the distros do or don't. [2009-03-30 05:52:22] paj...@php.net Scott, that's nice but add a test please with the data you use to reproduce the segfault. [2009-03-29 23:45:51] scott...@php.net I fixed it about 10 minutes ago, the snapshot is from a few hours ago. [2009-03-29 23:38:46] reinke at securityspace dot com Also reproduced on Lenny using snapshot php5.2-200903292230. ./configure --with-openssl make sapi/cli/php ~/core2.php - segmentation fault. The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/47828 -- Edit this bug report at http://bugs.php.net/?id=47828edit=1
#47828 [Csd]: Seg Fault in openssl_x509_parse
ID: 47828 User updated by: reinke at securityspace dot com Reported By: reinke at securityspace dot com Status: Closed Bug Type: OpenSSL related Operating System: Linux (Debian Lenny) PHP Version: 5.2.9 Assigned To: scottmac New Comment: No, our official distributions channel is http://www.php.net/downloads and http://windows.php.net, nothing else. Pierre - that's wishful thinking and a pile of crock. Argue over the semantics of official however you wish. The reality, however, is that about 28% of all web sites with PHP are known to be using a Distro version of PHP. And of the remaining 72%, we can't even say they are using a version from your web site, only that we don't know if they are using your version, or one from a distro. Don't get me wrong - your (PHP's) fix time on this was absolutely amazing, and to repeat, we have no issue with helping out on a problem. But telling folks not to use a distro version of PHP is just not in line with reality. And for the record - every 5.2.x install we've touched on a Linux box was vulnerable. If you couldn't reproduce on Ubuntu or Debian using the concise 3 line script provided after several hours of our digging to make it easy on you, perhaps you need to have a broader range of hardware to check on. Every x86 based install WE checked on 5.2.x was vulnerable and reproduced the problem. INCLUDING your latest snapshot. Grumble - you ought to take this thread and mark it as a how to take a customer that was willing to help find a bug that crashes your application and really piss him off. Scott - thanks for the quick fix. Above and beyond. Thomas Previous Comments: [2009-03-30 09:59:49] paj...@php.net Firt, I do not care if it took 0.5 second or 3 hours. Secondly, the bug is less than a day old, we did run test and it did not crash on all platforms I can test (windows, ubuntu x64/x86 and debian). So not it was not obvious that there was a real bug in the current code. And finally, you can't know if a) there is already a patch or a fix and b) what's the status, simply because you did not bother to ask. There is no problem to take over any bug as long as you simply ask before. It will save us time and pains (as in this kind of discussions, which happen only with you). Thanks for your understanding and your work. [2009-03-30 09:24:43] scott...@php.net Pierre using the test given by the reporter I could reproduce this, took less than a minute to find the issue. Assigning yourself a bug that you'll look at next week isn't all that useful, especially if someone with more time comes along in that next week. Perhaps we need to add multiple assignment to bugs? FYI OpenSSL verions OpenSSL 0.9.7l 28 Sep 2006 (OS X default) OpenSSL 0.9.8j 07 Jan 2009 [2009-03-30 06:00:06] paj...@php.net With all due respect - we are using PHP's official release. On Debian. As provided by the distro. On Ubuntu. As provided by Ubuntu. On Fedora. As provided by... well, you get it. Like it or not, these vendors are your distribution channel No, our official distributions channel is http://www.php.net/downloads and http://windows.php.net, nothing else. Distributions, in their majority, do a great job at distributing php but they are not our official releases channel, especially not when they use unofficial patches like suhosin or other random changes. The reason we ask to try PHP's version is to be sure about the src of the problem, we have no control over what the distros do or don't. [2009-03-30 05:52:22] paj...@php.net Scott, that's nice but add a test please with the data you use to reproduce the segfault. [2009-03-29 23:45:51] scott...@php.net I fixed it about 10 minutes ago, the snapshot is from a few hours ago. The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/47828 -- Edit this bug report at http://bugs.php.net/?id=47828edit=1
#47828 [Csd]: Seg Fault in openssl_x509_parse
ID: 47828 Updated by: paj...@php.net Reported By: reinke at securityspace dot com Status: Closed Bug Type: OpenSSL related Operating System: Linux (Debian Lenny) PHP Version: 5.2.9 Assigned To: scottmac New Comment: Note that even people from Ubuntu security were not able to reproduce it (I asked them to take a look at the report). So excuse me but there were doubts about this bug, like it or not. And that's why I asked you to test with our src, you did, thanks. Also I did not ask you to do not use the distribution version of php but to use our sources to see if the bug can be reproduced. It is common practice to ask that, not only in php. Previous Comments: [2009-03-30 14:43:12] reinke at securityspace dot com No, our official distributions channel is http://www.php.net/downloads and http://windows.php.net, nothing else. Pierre - that's wishful thinking and a pile of crock. Argue over the semantics of official however you wish. The reality, however, is that about 28% of all web sites with PHP are known to be using a Distro version of PHP. And of the remaining 72%, we can't even say they are using a version from your web site, only that we don't know if they are using your version, or one from a distro. Don't get me wrong - your (PHP's) fix time on this was absolutely amazing, and to repeat, we have no issue with helping out on a problem. But telling folks not to use a distro version of PHP is just not in line with reality. And for the record - every 5.2.x install we've touched on a Linux box was vulnerable. If you couldn't reproduce on Ubuntu or Debian using the concise 3 line script provided after several hours of our digging to make it easy on you, perhaps you need to have a broader range of hardware to check on. Every x86 based install WE checked on 5.2.x was vulnerable and reproduced the problem. INCLUDING your latest snapshot. Grumble - you ought to take this thread and mark it as a how to take a customer that was willing to help find a bug that crashes your application and really piss him off. Scott - thanks for the quick fix. Above and beyond. Thomas [2009-03-30 09:59:49] paj...@php.net Firt, I do not care if it took 0.5 second or 3 hours. Secondly, the bug is less than a day old, we did run test and it did not crash on all platforms I can test (windows, ubuntu x64/x86 and debian). So not it was not obvious that there was a real bug in the current code. And finally, you can't know if a) there is already a patch or a fix and b) what's the status, simply because you did not bother to ask. There is no problem to take over any bug as long as you simply ask before. It will save us time and pains (as in this kind of discussions, which happen only with you). Thanks for your understanding and your work. [2009-03-30 09:24:43] scott...@php.net Pierre using the test given by the reporter I could reproduce this, took less than a minute to find the issue. Assigning yourself a bug that you'll look at next week isn't all that useful, especially if someone with more time comes along in that next week. Perhaps we need to add multiple assignment to bugs? FYI OpenSSL verions OpenSSL 0.9.7l 28 Sep 2006 (OS X default) OpenSSL 0.9.8j 07 Jan 2009 [2009-03-30 06:00:06] paj...@php.net With all due respect - we are using PHP's official release. On Debian. As provided by the distro. On Ubuntu. As provided by Ubuntu. On Fedora. As provided by... well, you get it. Like it or not, these vendors are your distribution channel No, our official distributions channel is http://www.php.net/downloads and http://windows.php.net, nothing else. Distributions, in their majority, do a great job at distributing php but they are not our official releases channel, especially not when they use unofficial patches like suhosin or other random changes. The reason we ask to try PHP's version is to be sure about the src of the problem, we have no control over what the distros do or don't. [2009-03-30 05:52:22] paj...@php.net Scott, that's nice but add a test please with the data you use to reproduce the segfault. The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/47828 -- Edit this bug report at http://bugs.php.net/?id=47828edit=1
#47828 [Csd]: Seg Fault in openssl_x509_parse
ID: 47828 Updated by: paj...@php.net Reported By: reinke at securityspace dot com Status: Closed Bug Type: OpenSSL related Operating System: Linux (Debian Lenny) PHP Version: 5.2.9 Assigned To: scottmac New Comment: For the record here, if you use ubuntu you can follow this issue here: https://bugs.launchpad.net/bugs/351730 I also updated the test case using the one from Kees Cook as it covers more architectures (incl. the intel ones I have here, and that's nice :). Previous Comments: [2009-03-30 14:55:40] paj...@php.net Note that even people from Ubuntu security were not able to reproduce it (I asked them to take a look at the report). So excuse me but there were doubts about this bug, like it or not. And that's why I asked you to test with our src, you did, thanks. Also I did not ask you to do not use the distribution version of php but to use our sources to see if the bug can be reproduced. It is common practice to ask that, not only in php. [2009-03-30 14:43:12] reinke at securityspace dot com No, our official distributions channel is http://www.php.net/downloads and http://windows.php.net, nothing else. Pierre - that's wishful thinking and a pile of crock. Argue over the semantics of official however you wish. The reality, however, is that about 28% of all web sites with PHP are known to be using a Distro version of PHP. And of the remaining 72%, we can't even say they are using a version from your web site, only that we don't know if they are using your version, or one from a distro. Don't get me wrong - your (PHP's) fix time on this was absolutely amazing, and to repeat, we have no issue with helping out on a problem. But telling folks not to use a distro version of PHP is just not in line with reality. And for the record - every 5.2.x install we've touched on a Linux box was vulnerable. If you couldn't reproduce on Ubuntu or Debian using the concise 3 line script provided after several hours of our digging to make it easy on you, perhaps you need to have a broader range of hardware to check on. Every x86 based install WE checked on 5.2.x was vulnerable and reproduced the problem. INCLUDING your latest snapshot. Grumble - you ought to take this thread and mark it as a how to take a customer that was willing to help find a bug that crashes your application and really piss him off. Scott - thanks for the quick fix. Above and beyond. Thomas [2009-03-30 09:59:49] paj...@php.net Firt, I do not care if it took 0.5 second or 3 hours. Secondly, the bug is less than a day old, we did run test and it did not crash on all platforms I can test (windows, ubuntu x64/x86 and debian). So not it was not obvious that there was a real bug in the current code. And finally, you can't know if a) there is already a patch or a fix and b) what's the status, simply because you did not bother to ask. There is no problem to take over any bug as long as you simply ask before. It will save us time and pains (as in this kind of discussions, which happen only with you). Thanks for your understanding and your work. [2009-03-30 09:24:43] scott...@php.net Pierre using the test given by the reporter I could reproduce this, took less than a minute to find the issue. Assigning yourself a bug that you'll look at next week isn't all that useful, especially if someone with more time comes along in that next week. Perhaps we need to add multiple assignment to bugs? FYI OpenSSL verions OpenSSL 0.9.7l 28 Sep 2006 (OS X default) OpenSSL 0.9.8j 07 Jan 2009 [2009-03-30 06:00:06] paj...@php.net With all due respect - we are using PHP's official release. On Debian. As provided by the distro. On Ubuntu. As provided by Ubuntu. On Fedora. As provided by... well, you get it. Like it or not, these vendors are your distribution channel No, our official distributions channel is http://www.php.net/downloads and http://windows.php.net, nothing else. Distributions, in their majority, do a great job at distributing php but they are not our official releases channel, especially not when they use unofficial patches like suhosin or other random changes. The reason we ask to try PHP's version is to be sure about the src of the problem, we have no control over what the distros do or don't. The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/47828 -- Edit this bug report at http://bugs.php.net/?id=47828edit=1
#47828 [Csd]: Seg Fault in openssl_x509_parse
ID: 47828 Updated by: scott...@php.net Reported By: reinke at securityspace dot com Status: Closed Bug Type: OpenSSL related Operating System: Linux (Debian Lenny) PHP Version: 5.2.9 Assigned To: pajoye New Comment: I fixed it about 10 minutes ago, the snapshot is from a few hours ago. Previous Comments: [2009-03-29 23:38:46] reinke at securityspace dot com Also reproduced on Lenny using snapshot php5.2-200903292230. ./configure --with-openssl make sapi/cli/php ~/core2.php - segmentation fault. [2009-03-29 23:33:40] scott...@php.net This bug has been fixed in CVS. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. Thank you for the report, and for helping us make PHP better. The string tried to decode one of the items to utf-8 and it failed, this wasn't properly checked resulting in a segfault. [2009-03-29 22:29:26] reinke at securityspace dot com With all due respect - we are using PHP's official release. On Debian. As provided by the distro. On Ubuntu. As provided by Ubuntu. On Fedora. As provided by... well, you get it. Like it or not, these vendors are your distribution channel, and what they provide IS defacto your official release. Simply by virtue of the fact that most people are using that channel for getting their binary version of PHP. If you are asking us to help TEST the bug, fine - that's not a problem. If you are suggesting what I think you suggested, that is upgrading to your official off the www.php.net web site release to solve the problem, that's not happening, for a large variety of reasons. Nor will it happen for a LOT of other users, either. FWIW - on a Fedora Core 10 system, fully updated, your snapshot (php5.2-200903292030) configured and compiled with ./configure --with-openssl make reproduces the problem. [2009-03-29 21:51:18] paj...@php.net Please try using this CVS snapshot: http://snaps.php.net/php5.2-latest.tar.gz For Windows: http://windows.php.net/snapshots/ [2009-03-29 21:51:04] paj...@php.net Thanks for testing all these distributions but it is not what I was asking. Please use PHP.net's sources, available in our downloads page, snapshots via cvs. See my next comment for the snapshot links. The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/47828 -- Edit this bug report at http://bugs.php.net/?id=47828edit=1
#47828 [Csd]: Seg Fault in openssl_x509_parse
ID: 47828 User updated by: reinke at securityspace dot com Reported By: reinke at securityspace dot com Status: Closed Bug Type: OpenSSL related Operating System: Linux (Debian Lenny) PHP Version: 5.2.9 Assigned To: pajoye New Comment: Also reproduced on Lenny using snapshot php5.2-200903292230. ./configure --with-openssl make sapi/cli/php ~/core2.php - segmentation fault. Previous Comments: [2009-03-29 23:33:40] scott...@php.net This bug has been fixed in CVS. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. Thank you for the report, and for helping us make PHP better. The string tried to decode one of the items to utf-8 and it failed, this wasn't properly checked resulting in a segfault. [2009-03-29 22:29:26] reinke at securityspace dot com With all due respect - we are using PHP's official release. On Debian. As provided by the distro. On Ubuntu. As provided by Ubuntu. On Fedora. As provided by... well, you get it. Like it or not, these vendors are your distribution channel, and what they provide IS defacto your official release. Simply by virtue of the fact that most people are using that channel for getting their binary version of PHP. If you are asking us to help TEST the bug, fine - that's not a problem. If you are suggesting what I think you suggested, that is upgrading to your official off the www.php.net web site release to solve the problem, that's not happening, for a large variety of reasons. Nor will it happen for a LOT of other users, either. FWIW - on a Fedora Core 10 system, fully updated, your snapshot (php5.2-200903292030) configured and compiled with ./configure --with-openssl make reproduces the problem. [2009-03-29 21:51:18] paj...@php.net Please try using this CVS snapshot: http://snaps.php.net/php5.2-latest.tar.gz For Windows: http://windows.php.net/snapshots/ [2009-03-29 21:51:04] paj...@php.net Thanks for testing all these distributions but it is not what I was asking. Please use PHP.net's sources, available in our downloads page, snapshots via cvs. See my next comment for the snapshot links. [2009-03-29 21:50:43] reinke at securityspace dot com Updated OS' impacted. The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/47828 -- Edit this bug report at http://bugs.php.net/?id=47828edit=1