[php-maint] Bug#717139: php5: CVE-2013-4113: heap corruption in xml parser
Henri Salo
henri at nerv.fi
Wed Jul 17 08:49:41 UTC 2013
Package: php5
Version: 5.5.0+dfsg-13
Severity: important
Tags: security
php -v
PHP 5.5.0-13 (cli) (built: Jul 16 2013 13:47:37)
Copyright (c) 1997-2013 The PHP Group
Zend Engine v2.5.0-dev, Copyright (c) 1998-2013 Zend Technologies
with Zend OPcache v7.0.2-dev, Copyright (c) 1999-2013, by Zend Technologies
fgeek at example:~$ php -r 'xml_parse_into_struct(xml_parser_create_ns(), str_repeat("<blah>", 1000), $b);'
Segmentation fault
Full backtrace attached.
References:
https://bugs.php.net/bug.php?id=65236
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4113
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.9-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages php5 depends on:
ii libapache2-mod-php5 5.5.0+dfsg-13
ii php5-common 5.5.0+dfsg-13
php5 recommends no packages.
php5 suggests no packages.
-- no debconf information
-------------- next part --------------
Starting program: /usr/bin/php5 -r 'xml_parse_into_struct(xml_parser_create_ns(), str_repeat("<blah>", 1000), $b);'
warning: Could not load shared library symbols for linux-vdso.so.1.
Do you need "set solib-search-path" or "set sysroot"?
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
_zend_mm_free_int (heap=0xe57cf0, p=0x7ffff7fd0380) at /tmp/buildd/php5-5.5.0+dfsg/Zend/zend_alloc.c:2104
2104 /tmp/buildd/php5-5.5.0+dfsg/Zend/zend_alloc.c: No such file or directory.
#0 _zend_mm_free_int (heap=0xe57cf0, p=0x7ffff7fd0380) at /tmp/buildd/php5-5.5.0+dfsg/Zend/zend_alloc.c:2104
mm_block = 0x7ffff7fd0370
next_block = 0xffffeb8a3300
size = 140737279504272
#1 0x0000000000657abf in _xml_startElementHandler (userData=0x7ffff7fd04a0, name=<optimized out>, attributes=<optimized out>)
at /tmp/buildd/php5-5.5.0+dfsg/ext/xml/xml.c:849
parser = 0x7ffff7fd04a0
attrs = <optimized out>
val = <optimized out>
val_len = -134417336
retval = 0x10b0857
args = {0x4, 0x7fffffffcb60, 0x4}
#2 0x0000000000657f76 in _start_element_handler_ns (user=0x7ffff7fcf440, name=0x10b0857 "blah", prefix=0x0, URI=0x0,
nb_namespaces=0, namespaces=<optimized out>, nb_attributes=0, nb_defaulted=0, attributes=0x0)
at /tmp/buildd/php5-5.5.0+dfsg/ext/xml/compat.c:190
parser = 0x7ffff7fcf440
qualified_name = 0x10b05e0 "blah"
attrs = 0x0
i = <optimized out>
z = 0
y = 0
#3 0x00007ffff5861a27 in xmlParseStartTag2 (ctxt=ctxt at entry=0x10af0e0, pref=pref at entry=0x7fffffffccf0,
URI=URI at entry=0x7fffffffccf8, tlen=tlen at entry=0x7fffffffccdc) at ../../parser.c:9612
localname = 0x10b0857 "blah"
prefix = 0x0
attname = <optimized out>
aprefix = 0x7ffff4baf5cd <__GI___libc_realloc+237> "H\211\302\203=\035\324\062"
nsname = 0x0
attvalue = <optimized out>
atts = 0x0
maxatts = 0
nratts = 0
nbatts = 0
nbdef = 0
i = <optimized out>
j = <optimized out>
nbNs = 0
attval = 0
oldline = 1
oldcol = 2648
base = <optimized out>
cur = 0
nsNr = 0
#4 0x00007ffff586a71f in xmlParseTryOrFinish (ctxt=ctxt at entry=0x10af0e0, terminate=terminate at entry=1) at ../../parser.c:11375
name = <optimized out>
prefix = 0x0
URI = 0x0
nsNr = 0
ret = 0
avail = 3354
tlen = 4
cur = <optimized out>
next = <optimized out>
lastlt = 0x10ae83a "<blah>"
lastgt = 0x10ae83f ">"
#5 0x00007ffff586bf1f in xmlParseChunk__internal_alias (ctxt=0x10af0e0,
chunk=0x7ffff7fd08f0 "<blah><blah><blah><blah><blah><blah><blah><blah><blah><blah><blah><blah><blah><blah><blah><blah><blah><blah><blah><blah><blah><blah><blah><blah><blah><blah><blah><blah><blah><blah><blah><blah><blah><b"..., size=6000,
terminate=terminate at entry=1) at ../../parser.c:12280
end_in_lf = 0
remain = <optimized out>
old_avail = 0
avail = 6000
#6 0x00000000006587ad in php_XML_Parse (parser=0x7ffff7fcf440, data=<optimized out>, data_len=<optimized out>,
is_final=is_final at entry=1) at /tmp/buildd/php5-5.5.0+dfsg/ext/xml/compat.c:605
error = <optimized out>
#7 0x0000000000655f4e in zif_xml_parse_into_struct (ht=<optimized out>, return_value=0x7ffff7fce808,
return_value_ptr=<optimized out>, this_ptr=<optimized out>, return_value_used=<optimized out>)
at /tmp/buildd/php5-5.5.0+dfsg/ext/xml/xml.c:1489
parser = 0x7ffff7fd04a0
pind = 0x7ffff7fce868
xdata = 0x7ffff7f9c178
info = 0x0
data = 0x7ffff7fd08f0 "<blah><blah><blah><blah><blah><blah><blah><blah><blah><blah><blah><blah><blah><blah><blah><blah><blah><blah><blah><blah><blah><blah><blah><blah><blah><blah><blah><blah><blah><blah><blah><blah><blah><b"...
data_len = 6000
ret = <optimized out>
#8 0x000000000077c18a in zend_do_fcall_common_helper_SPEC (execute_data=<optimized out>)
at /tmp/buildd/php5-5.5.0+dfsg/Zend/zend_vm_execute.h:543
ret = 0x7ffff7f9c060
opline = <optimized out>
should_change_scope = 0 '\000'
fbc = 0xed0ce0
#9 0x00000000006f5f58 in execute_ex (execute_data=0x7ffff7f9c0c0) at /tmp/buildd/php5-5.5.0+dfsg/Zend/zend_vm_execute.h:356
ret = <optimized out>
original_in_execution = 0 '\000'
#10 0x00000000006c033a in zend_eval_stringl (
str=str at entry=0xe57a10 "xml_parse_into_struct(xml_parser_create_ns(), str_repeat(\"<blah>\", 1000), $b);",
str_len=<optimized out>, retval_ptr=retval_ptr at entry=0x0, string_name=string_name at entry=0xb17f60 "Command line code")
at /tmp/buildd/php5-5.5.0+dfsg/Zend/zend_execute_API.c:1179
__orig_bailout = 0x7fffffffd310
__bailout = {{__jmpbuf = {15034816, -5898600418575756034, 11632480, 15038992, 0, 0, 5898600420189033726,
-5898599559609297666}, __mask_was_saved = 0, __saved_mask = {__val = {140737353934840, 30064771073,
12548144454487244801, 15498192, 6, 2, 140737353934888, 30064771073, 1, 17485488, 7, 3, 140737353934936,
30064771073, 1, 17485680}}}}
local_retval_ptr = 0x0
original_return_value_ptr_ptr = 0x0
original_opline_ptr = 0x0
orig_interactive = 0
pv = {value = {lval = 15038992, dval = 7.43024929528134e-317, str = {
val = 0xe57a10 "xml_parse_into_struct(xml_parser_create_ns(), str_repeat(\"<blah>\", 1000), $b);", len = 78},
ht = 0xe57a10, obj = {handle = 15038992, handlers = 0xd0ac0000004e}}, refcount__gc = 4160547888, type = 6 '\006',
is_ref__gc = 127 '\177'}
new_op_array = 0x7ffff7fceff0
original_active_op_array = 0x0
original_compiler_options = 2
retval = <optimized out>
#11 0x00000000006c0429 in zend_eval_stringl_ex (
str=str at entry=0xe57a10 "xml_parse_into_struct(xml_parser_create_ns(), str_repeat(\"<blah>\", 1000), $b);",
str_len=<optimized out>, retval_ptr=retval_ptr at entry=0x0, string_name=string_name at entry=0xb17f60 "Command line code",
handle_exceptions=handle_exceptions at entry=1) at /tmp/buildd/php5-5.5.0+dfsg/Zend/zend_execute_API.c:1226
result = <optimized out>
#12 0x00000000006c0498 in zend_eval_string_ex (
str=str at entry=0xe57a10 "xml_parse_into_struct(xml_parser_create_ns(), str_repeat(\"<blah>\", 1000), $b);",
retval_ptr=retval_ptr at entry=0x0, string_name=string_name at entry=0xb17f60 "Command line code",
handle_exceptions=handle_exceptions at entry=1) at /tmp/buildd/php5-5.5.0+dfsg/Zend/zend_execute_API.c:1237
No locals.
#13 0x000000000077dc1d in do_cli (argc=3, argv=0xe579a0) at /tmp/buildd/php5-5.5.0+dfsg/sapi/cli/php_cli.c:1033
__orig_bailout = 0x7fffffffe4b0
__bailout = {{__jmpbuf = {0, 5898600418816447742, 140737488348324, 0, 0, 14916704, 5898600419165623550,
-5898599763143928578}, __mask_was_saved = 0, __saved_mask = {__val = {11538844, 11538868, 11438643, 11438664,
11538881, 11538901, 11538918, 11539472, 11538939, 11538953, 11538975, 11538994, 11539021, 11539050, 0,
14916704}}}}
c = <optimized out>
file_handle = {type = ZEND_HANDLE_FP, filename = 0xadf445 "-", opened_path = 0x0, handle = {fd = -185761216,
fp = 0x7ffff4ed8240 <_IO_2_1_stdin_>, stream = {handle = 0x7ffff4ed8240 <_IO_2_1_stdin_>, isatty = 0, mmap = {
len = 14916704, pos = 5898600419165623550, map = 0xae23f6e654f454fe, buf = 0x0, old_handle = 0x7ffff7fdf060,
old_closer = 0x1}, reader = 0x0, fsizer = 0x1, closer = 0x7ffff7ffe1e8}}, free_filename = 0 '\000'}
behavior = <optimized out>
reflection_what = 0x0
request_started = 1
exit_status = 0
php_optarg = 0xe57a10 "xml_parse_into_struct(xml_parser_create_ns(), str_repeat(\"<blah>\", 1000), $b);"
php_optind = 3
exec_direct = 0xe57a10 "xml_parse_into_struct(xml_parser_create_ns(), str_repeat(\"<blah>\", 1000), $b);"
exec_run = 0x0
exec_begin = 0x0
exec_end = 0x0
arg_free = <optimized out>
arg_excp = <optimized out>
script_file = <optimized out>
translated_path = 0x0
interactive = 0
lineno = 0
param_error = <optimized out>
hide_argv = 0
#14 0x000000000045fcaf in main (argc=3, argv=0xe579a0) at /tmp/buildd/php5-5.5.0+dfsg/sapi/cli/php_cli.c:1377
__orig_bailout = 0x0
__bailout = {{__jmpbuf = {15039568, 5898600418816447742, 140737488348324, 0, 0, 14916704, 5898600418802816254,
-5898599919601298178}, __mask_was_saved = 0, __saved_mask = {__val = {140737296581072, 0, 140737354130752,
4131212846, 140737342587056, 0, 4405733, 4294967295, 0, 140737298829600, 140737354017240, 1, 0, 140737304722824,
140737298810424, 1}}}}
c = <optimized out>
exit_status = 0
module_started = 1
sapi_started = 1
php_optarg = 0xe57a10 "xml_parse_into_struct(xml_parser_create_ns(), str_repeat(\"<blah>\", 1000), $b);"
php_optind = 3
use_extended_info = 0
ini_path_override = 0x0
ini_entries = 0xe57c50 "html_errors=0\nregister_argc_argv=1\nimplicit_flush=1\noutput_buffering=0\nmax_execution_time=0\nmax_input_time=-1\n"
ini_entries_len = 0
ini_ignore = 0
sapi_module = <optimized out>
A debugging session is active.
Inferior 1 [process 3350] will be killed.
Quit anyway? (y or n)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20130717/a6968e05/attachment.sig>
More information about the pkg-php-maint
mailing list