[php-maint] Bug#783099: php5: Fileinfo on specific file causes spurious OOM and/or segfault

Christoph Biedl debian.axhn at manchmal.in-ulm.de
Thu Apr 23 07:23:47 UTC 2015


tags 783099 unreproducible
thanks

Henri Salo wrote...

> When calling finfo::file() or finfo::buffer() with a crafted string, PHP will
> crash by either segfaulting or trying to allocate an large amount of memory
> (4GiB).
(...)
>   https://git.php.net/?p=php-src.git;a=commitdiff;h=f938112c495b0d26572435c0be73ac0bfe642ecd

What kind of alert is this?

* "Saw this, just forwarding, your job"
* "Tried a few things, file seems to be robust, thought you might be
  interested anyway"
* "It's vulnerable, reproducer attached/available upon request"

So assuming the first:

Using to the reproducer generators I was indeed able to segfault
php5 in wheezy (both) and jessie (001 only) every time - not
squeeze-lts though. However, running the file program against a dump
of any generated file worked flawlessly. In fact, I couldn't trigger
a segfault in any upstream release I've tested between 5.04 and 5.22.

According to the patch php5 applied this seems to be a duplicate of
CVE-2014-3538 which is fixed in all Debian versions of the file
package. However, testing upstream commits around the fix
(FILE5_18-69-g4a284c8g) still shows no abnormal behaviour. Also,
php5 did fix this issue last year, too. However the softmagic.c file
differs between file and php5 anyway so it might be a pure php5
problem.

If you have different information, please submit in due course.

    Christoph
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20150423/f0ab6d1d/attachment.sig>


More information about the pkg-php-maint mailing list