During "software development" with Di Paola we found that latest php5 stable version available for gentoo (5.1.6) is affected by a double free in the htmlentities() function, commonly exposed to user input.
This is not bug #28067, it's already patched in ubuntu and debian but triggerable under gentoo with this released and public poc: http://downloads.securityfocus.com/vulnerabilities/exploits/20879.php The author of the poc is Zarathu. We added some UTF tests included this in to our software on 01/17/07, the public poc is even older and today is 02/10/07 so probably somebody hasn't noticed the bug/patch. Glibc backtrace http://rafb.net/p/b35aEl20.html You can verify this comparing the file /var/tmp/portage/php-5.1.6-r6/work/php-5.1.6/ext/standard/html.c with ext/standard/html.c of ubuntu with patches applied function php_escape_html_entities(), called by php_html_entities() +- if (len + 9 > maxlen) ++ if (len + 16 > maxlen) .... + if (matches_map) { ++ int l = strlen(rep); ++ /* increase the buffer size */ ++ if (len + 2 + l >= maxlen) { ++ replaced = erealloc(replaced, maxlen += 128); ++ } ++ + replaced[len++] = '&'; + strcpy(replaced + len, rep); +- len += strlen(rep); ++ len += l; + replaced[len++] = ';'; + } Original code: if (matches_map) { replaced[len++] = '&'; strcpy(replaced + len, rep); len += strlen(rep); replaced[len++] = ';'; } Ubuntu (not vulnerable) PHP 5.1.6 (cli) (built: Nov 2 2006 12:49:10) Copyright (c) 1997-2006 The PHP Group Zend Engine v2.1.0, Copyright (c) 1998-2006 Zend Technologies Gentoo (vulnerable) PHP 5.1.6-pl6-gentoo (cli) (built: Feb 9 2007 22:00:21) Copyright (c) 1997-2006 The PHP Group Zend Engine v2.1.0, Copyright (c) 1998-2006 Zend Technologies Stripped comm between ubuntu and gentoo: http://rafb.net/p/Bm2Qjb83.html Gentoo involved functions http://rafb.net/p/LmZCaL28.html http://rafb.net/p/48UWl028.html Gentoo pathcset http://rafb.net/p/und1hw52.html Ubuntu involved functions (prior patching) http://rafb.net/p/chiQsJ98.html Ubuntu/debian pathc http://rafb.net/p/kvvZGh68.html Moral: this is patched in the official php 5.2 source tree and in ubuntu/debian 5.1.6 but not in gentoo 5.1.6 so imho it could be a nice idea to push out a new stable version (like additional patching for 5.1.6 or a release upgrade using the 5.2 sources). Regards, Francesco `ascii` Ongaro http://www.ush.it/ Stefano `wisec` Di Paola http://www.wisec.it/ -- [email protected] mailing list
