[php-maint] Bug#576147: memory corruption in PHP

Toni Mueller support at oeko.net
Thu Apr 1 08:02:48 UTC 2010 

Package: php5-cgi
Version: 5.2.6.dfsg.1-1+lenny8
Severity: normal


Hi,

I've written to the TYPO3 folks in order to get the problem described
below fixed, but they say I should turn to you instead. FWIW, I'm
running a pretty vanilla TYPO3 4.2.12 from upstream's source code,
along with some add-ons that the customer implemented (but I don't know
which, some are his creation).

On Thu, 01.04.2010 at 05:20:39 +0200, TYPO3 Security Team <security at typo3.org> wrote:
> Toni Mueller <support at oeko.net> wrote:
> > I forgot to send another error message that makes me feel uneasy. So
> > here goes:
> > > Mar 23 14:19:29 debian suhosin[15099]: ALERT - canary mismatch on efree() - heap overflow detected (attacker '80.142.175.180', file '/webserverroot/typo3_src-4.2.12/t3lib/class.t3lib_htmlmail.php', line 718)
> 
> According to a blog post [1] this is caused by a memory corruption of PHP or
> one of its extension. This is not related to TYPO3 Security.
> 
> > Mar 29 13:15:47 debian suhosin[11070]: ALERT - linked list corrupt on efree ()
> > - heap corruption detected (attacker '88.116.33.10', file
> > '/webserverroot/www.example.com/index.php')
> 
> This again seems to be a bug in PHP or its extension (memory related). This is
> not related to any kind of TYPO3 attack.
> Both "events" seem to be unable to trigger by intention from remote - so
> there's no real "attacker".
> 
> These bugs aren't causes by or able to mitigate by TYPO3 source code.
> 
> To fix these bugs, you have to use bug infrastructure of your OS distributor!

It would be great if someone could fix the problem, and/or backport PHP
5.2.13 to Lenny. If you want to discuss the issue with the TYPO3 folks,
their ticket number for this issue is [Ticket#2010033110000014].

I leave the severity as "normal" because the TYPO3 folks claim that the
error occurs at random, and cannot be provoked by a user, and that this
is not really a security problem (see [1] for details), although I'm
not quite sure about that because there are only exactly these two
locations where the error occurs, often several times a day.


Kind regards,
--Toni++

[1] http://www.suspekt.org/2008/10/12/suhosin-canary-mismatch-on-efree-heap-overflow-detected/

More information about the pkg-php-maint mailing list