[Bug 910296] Re: Please backport the upstream patch to prevent attacks based on hash collisions
This was addressed in precise in the 5.3.10-1ubuntu1 merge, closing. ** Changed in: php5 (Ubuntu Precise) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in Ubuntu. https://bugs.launchpad.net/bugs/910296 Title: Please backport the upstream patch to prevent attacks based on hash collisions To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/910296/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 910296] Re: Please backport the upstream patch to prevent attacks based on hash collisions
** Branch linked: lp:ubuntu/natty-security/php5 ** Branch linked: lp:ubuntu/maverick-security/php5 ** Branch linked: lp:ubuntu/lucid-security/php5 ** Branch linked: lp:ubuntu/oneiric-updates/php5 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in Ubuntu. https://bugs.launchpad.net/bugs/910296 Title: Please backport the upstream patch to prevent attacks based on hash collisions To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/910296/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 910296] Re: Please backport the upstream patch to prevent attacks based on hash collisions
Yes, this has been fixed in hardy (8.04 LTS); however, I forgot to incorporate the bug number in the changelog entry for the hardy version. You are correct that this issue has not been addressed in precise, yet. As for CVE-2012-0830, there is no separate bug report; the security team doesn't track all security issues via bug reports due to some inadequacies in launchpad. Issues are tracked publicly in the Ubuntu CVE tracker at http://people.canonical.com/~ubuntu-security/cve/ . Thanks! ** Changed in: php5 (Ubuntu Hardy) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in Ubuntu. https://bugs.launchpad.net/bugs/910296 Title: Please backport the upstream patch to prevent attacks based on hash collisions To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/910296/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 910296] Re: Please backport the upstream patch to prevent attacks based on hash collisions
According to this issue it is not yet released for Hardy nor Precise, but the announcement for 5.2.4-2ubuntu5.22 says it is: https://launchpad.net/ubuntu/+source/php5/5.2.4-2ubuntu5.22 Was that tracked somewhere else and this issue just needs to be updated? Related question: I searched for the bug for the remote arbitrary code execution that this fix introduced (PHP 5.3.10, CVE-2012-0830) and couldn't find it -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in Ubuntu. https://bugs.launchpad.net/bugs/910296 Title: Please backport the upstream patch to prevent attacks based on hash collisions To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/910296/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 910296] Re: Please backport the upstream patch to prevent attacks based on hash collisions
This bug was fixed in the package php5 - 5.3.2-1ubuntu4.13 --- php5 (5.3.2-1ubuntu4.13) lucid-security; urgency=low * SECURITY UPDATE: memory allocation failure denial of service - debian/patches/php5-CVE-2011-4153.patch: check result of zend_strdup() and calloc() for failed allocations - CVE-2011-4153 * SECURITY UPDATE: predictable hash collision denial of service (LP: #910296) - debian/patches/php5-CVE-2011-4885.patch: add max_input_vars directive with default limit of 1000 - ATTENTION: this update changes previous php5 behavior by limiting the number of external input variables to 1000. This may be increased by adding a "max_input_vars" directive to the php.ini configuration file. See http://www.php.net/manual/en/info.configuration.php#ini.max-input-vars for more information. - CVE-2011-4885 * SECURITY UPDATE: remote code execution vulnerability introduced by the fix for CVE-2011-4885 (LP: #925772) - debian/patches/php5-CVE-2012-0830.patch: return rather than continuing if max_input_vars limit is reached - CVE-2012-0830 * SECURITY UPDATE: XSLT arbitrary file overwrite attack - debian/patches/php5-CVE-2012-0057.patch: add xsl.security_prefs ini option to define forbidden operations within XSLT stylesheets - CVE-2012-0057 * SECURITY UPDATE: PDORow session denial of service - debian/patches/php5-CVE-2012-0788.patch: fail gracefully when attempting to serialize PDORow instances - CVE-2012-0788 * SECURITY UPDATE: magic_quotes_gpc remote disable vulnerability - debian/patches/php5-CVE-2012-0831.patch: always restore magic_quote_gpc on request shutdown - CVE-2012-0831 * SECURITY UPDATE: arbitrary files removal via cronjob - debian/php5-common.php5.cron.d: take greater care when removing session files (overlooked in a previous update). - http://git.debian.org/?p=pkg-php%2Fphp.git;a=commitdiff_plain;h=d09fd04ed7bfcf7f008360c6a42025108925df09 - CVE-2011-0441 -- Steve BeattieWed, 08 Feb 2012 20:55:57 -0800 ** Changed in: php5 (Ubuntu Lucid) Status: Confirmed => Fix Released ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2011-0441 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in Ubuntu. https://bugs.launchpad.net/bugs/910296 Title: Please backport the upstream patch to prevent attacks based on hash collisions To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/910296/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 910296] Re: Please backport the upstream patch to prevent attacks based on hash collisions
This bug was fixed in the package php5 - 5.3.3-1ubuntu9.9 --- php5 (5.3.3-1ubuntu9.9) maverick-security; urgency=low * SECURITY UPDATE: memory allocation failure denial of service - debian/patches/php5-CVE-2011-4153.patch: check result of zend_strdup() and calloc() for failed allocations - CVE-2011-4153 * SECURITY UPDATE: predictable hash collision denial of service (LP: #910296) - debian/patches/php5-CVE-2011-4885.patch: add max_input_vars directive with default limit of 1000 - ATTENTION: this update changes previous php5 behavior by limiting the number of external input variables to 1000. This may be increased by adding a "max_input_vars" directive to the php.ini configuration file. See http://www.php.net/manual/en/info.configuration.php#ini.max-input-vars for more information. - CVE-2011-4885 * SECURITY UPDATE: remote code execution vulnerability introduced by the fix for CVE-2011-4885 (LP: #925772) - debian/patches/php5-CVE-2012-0830.patch: return rather than continuing if max_input_vars limit is reached - CVE-2012-0830 * SECURITY UPDATE: XSLT arbitrary file overwrite attack - debian/patches/php5-CVE-2012-0057.patch: add xsl.security_prefs ini option to define forbidden operations within XSLT stylesheets - CVE-2012-0057 * SECURITY UPDATE: PDORow session denial of service - debian/patches/php5-CVE-2012-0788.patch: fail gracefully when attempting to serialize PDORow instances - CVE-2012-0788 * SECURITY UPDATE: magic_quotes_gpc remote disable vulnerability - debian/patches/php5-CVE-2012-0831.patch: always restore magic_quote_gpc on request shutdown - CVE-2012-0831 -- Steve BeattieWed, 08 Feb 2012 20:59:18 -0800 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in Ubuntu. https://bugs.launchpad.net/bugs/910296 Title: Please backport the upstream patch to prevent attacks based on hash collisions To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/910296/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 910296] Re: Please backport the upstream patch to prevent attacks based on hash collisions
This bug was fixed in the package php5 - 5.3.6-13ubuntu3.5 --- php5 (5.3.6-13ubuntu3.5) oneiric-security; urgency=low * SECURITY UPDATE: memory allocation failure denial of service - debian/patches/php5-CVE-2011-4153.patch: check result of zend_strdup() and calloc() for failed allocations - CVE-2011-4153 * SECURITY UPDATE: predictable hash collision denial of service (LP: #910296) - debian/patches/php5-CVE-2011-4885.patch: add max_input_vars directive with default limit of 1000 - ATTENTION: this update changes previous php5 behavior by limiting the number of external input variables to 1000. This may be increased by adding a "max_input_vars" directive to the php.ini configuration file. See http://www.php.net/manual/en/info.configuration.php#ini.max-input-vars for more information. - CVE-2011-4885 * SECURITY UPDATE: remote code execution vulnerability introduced by the fix for CVE-2011-4885 (LP: #925772) - debian/patches/php5-CVE-2012-0830.patch: return rather than continuing if max_input_vars limit is reached - CVE-2012-0830 * SECURITY UPDATE: XSLT arbitrary file overwrite attack - debian/patches/php5-CVE-2012-0057.patch: add xsl.security_prefs ini option to define forbidden operations within XSLT stylesheets - CVE-2012-0057 * SECURITY UPDATE: PDORow session denial of service - debian/patches/php5-CVE-2012-0788.patch: fail gracefully when attempting to serialize PDORow instances - CVE-2012-0788 * SECURITY UPDATE: magic_quotes_gpc remote disable vulnerability - debian/patches/php5-CVE-2012-0831.patch: always restore magic_quote_gpc on request shutdown - CVE-2012-0831 -- Steve BeattieWed, 08 Feb 2012 20:56:28 -0800 ** Changed in: php5 (Ubuntu Oneiric) Status: Confirmed => Fix Released ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2011-4153 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-0057 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-0788 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-0831 ** Changed in: php5 (Ubuntu Natty) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in Ubuntu. https://bugs.launchpad.net/bugs/910296 Title: Please backport the upstream patch to prevent attacks based on hash collisions To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/910296/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 910296] Re: Please backport the upstream patch to prevent attacks based on hash collisions
This bug was fixed in the package php5 - 5.3.5-1ubuntu7.6 --- php5 (5.3.5-1ubuntu7.6) natty-security; urgency=low * SECURITY UPDATE: memory allocation failure denial of service - debian/patches/php5-CVE-2011-4153.patch: check result of zend_strdup() and calloc() for failed allocations - CVE-2011-4153 * SECURITY UPDATE: predictable hash collision denial of service (LP: #910296) - debian/patches/php5-CVE-2011-4885.patch: add max_input_vars directive with default limit of 1000 - ATTENTION: this update changes previous php5 behavior by limiting the number of external input variables to 1000. This may be increased by adding a "max_input_vars" directive to the php.ini configuration file. See http://www.php.net/manual/en/info.configuration.php#ini.max-input-vars for more information. - CVE-2011-4885 * SECURITY UPDATE: remote code execution vulnerability introduced by the fix for CVE-2011-4885 (LP: #925772) - debian/patches/php5-CVE-2012-0830.patch: return rather than continuing if max_input_vars limit is reached - CVE-2012-0830 * SECURITY UPDATE: XSLT arbitrary file overwrite attack - debian/patches/php5-CVE-2012-0057.patch: add xsl.security_prefs ini option to define forbidden operations within XSLT stylesheets - CVE-2012-0057 * SECURITY UPDATE: PDORow session denial of service - debian/patches/php5-CVE-2012-0788.patch: fail gracefully when attempting to serialize PDORow instances - CVE-2012-0788 * SECURITY UPDATE: magic_quotes_gpc remote disable vulnerability - debian/patches/php5-CVE-2012-0831.patch: always restore magic_quote_gpc on request shutdown - CVE-2012-0831 -- Steve BeattieWed, 08 Feb 2012 20:58:41 -0800 ** Changed in: php5 (Ubuntu Maverick) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in Ubuntu. https://bugs.launchpad.net/bugs/910296 Title: Please backport the upstream patch to prevent attacks based on hash collisions To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/910296/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 910296] Re: Please backport the upstream patch to prevent attacks based on hash collisions
Why not cherry-pick from Debian? (That way you can also check if I haven't missed anything on your radar.) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in Ubuntu. https://bugs.launchpad.net/bugs/910296 Title: Please backport the upstream patch to prevent attacks based on hash collisions To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/910296/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 910296] Re: Please backport the upstream patch to prevent attacks based on hash collisions
Thanks for reporting this; I am currently working on the update to fix this and other open php issues. I'm aware of the introduced vulnerability CVE-2012-0830 that the fix for this issue introduced (Tom Reed's patch above includes the vulnerability). It's addressed upstream by http://svn.php.net/viewvc?view=revision&revision=323007, plus there's an additional memory leak addressed by http://svn.php.net/viewvc?view=revision&revision=323013). ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2012-0830 ** Changed in: php5 (Ubuntu Lucid) Assignee: (unassigned) => Steve Beattie (sbeattie) ** Changed in: php5 (Ubuntu Hardy) Assignee: (unassigned) => Steve Beattie (sbeattie) ** Changed in: php5 (Ubuntu Natty) Assignee: (unassigned) => Steve Beattie (sbeattie) ** Changed in: php5 (Ubuntu Maverick) Assignee: (unassigned) => Steve Beattie (sbeattie) ** Changed in: php5 (Ubuntu Oneiric) Assignee: (unassigned) => Steve Beattie (sbeattie) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in Ubuntu. https://bugs.launchpad.net/bugs/910296 Title: Please backport the upstream patch to prevent attacks based on hash collisions To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/910296/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 910296] Re: Please backport the upstream patch to prevent attacks based on hash collisions
This should really be fixed soon. Please up vote it! BTW, watch out, the fix caused an even worse (remote code execution) bug: https://bugzilla.redhat.com/show_bug.cgi?id=786686 ** Bug watch added: Red Hat Bugzilla #786686 https://bugzilla.redhat.com/show_bug.cgi?id=786686 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in Ubuntu. https://bugs.launchpad.net/bugs/910296 Title: Please backport the upstream patch to prevent attacks based on hash collisions To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/910296/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 910296] Re: Please backport the upstream patch to prevent attacks based on hash collisions
Initial testing shows a crash from the error message there. A version with the error message pulled out seems to be functioning. There may be additional code from 2.3.9 that the Ubuntu version doesn't have and needs to support the error message. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in Ubuntu. https://bugs.launchpad.net/bugs/910296 Title: Please backport the upstream patch to prevent attacks based on hash collisions To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/910296/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 910296] Re: Please backport the upstream patch to prevent attacks based on hash collisions
Also, I might bump this up a little higher than medium. This is a verified bug with trivially reproducible DoS capability. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in Ubuntu. https://bugs.launchpad.net/bugs/910296 Title: Please backport the upstream patch to prevent attacks based on hash collisions To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/910296/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 910296] Re: Please backport the upstream patch to prevent attacks based on hash collisions
You actually need two commits for this fix. This one is the 5.3 branch commit for the first commit: http://svn.php.net/viewvc?view=revision&revision=321038 There was a fix to that commit later: http://svn.php.net/viewvc?view=revision&revision=321335 I've combined both of these patches into one patch that can be applied to 5.3.2-1ubuntu4.11: https://gist.github.com/1610477 Should just be able to drop it into debian/patches and add it to the end of debian/patches/series. I'm still confirming if that patch fixes the DoS. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in Ubuntu. https://bugs.launchpad.net/bugs/910296 Title: Please backport the upstream patch to prevent attacks based on hash collisions To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/910296/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 910296] Re: Please backport the upstream patch to prevent attacks based on hash collisions
** Also affects: php5 (Ubuntu Lucid) Importance: Undecided Status: New ** Also affects: php5 (Ubuntu Oneiric) Importance: Undecided Status: New ** Also affects: php5 (Ubuntu Maverick) Importance: Undecided Status: New ** Also affects: php5 (Ubuntu Hardy) Importance: Undecided Status: New ** Also affects: php5 (Ubuntu Natty) Importance: Undecided Status: New ** Also affects: php5 (Ubuntu Precise) Importance: Undecided Status: New ** Visibility changed to: Public ** Visibility changed to: Public ** Changed in: php5 (Ubuntu Hardy) Status: New => Confirmed ** Changed in: php5 (Ubuntu Lucid) Status: New => Confirmed ** Changed in: php5 (Ubuntu Maverick) Status: New => Confirmed ** Changed in: php5 (Ubuntu Natty) Status: New => Confirmed ** Changed in: php5 (Ubuntu Oneiric) Status: New => Confirmed ** Changed in: php5 (Ubuntu Precise) Status: New => Confirmed ** Changed in: php5 (Ubuntu Hardy) Importance: Undecided => Medium ** Changed in: php5 (Ubuntu Lucid) Importance: Undecided => Medium ** Changed in: php5 (Ubuntu Maverick) Importance: Undecided => Medium ** Changed in: php5 (Ubuntu Natty) Importance: Undecided => Medium ** Changed in: php5 (Ubuntu Oneiric) Importance: Undecided => Medium ** Changed in: php5 (Ubuntu Precise) Importance: Undecided => Medium -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in Ubuntu. https://bugs.launchpad.net/bugs/910296 Title: Please backport the upstream patch to prevent attacks based on hash collisions To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/910296/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs