[Bug 697181] Re: DoS: Infinite loop processing 2.2250738585072011e-308
Launchpad has imported 8 comments from the remote bug at https://bugzilla.redhat.com/show_bug.cgi?id=667806. If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. On 2011-01-06T20:30:39+00:00 Vincent wrote: A flaw in how PHP handled the numeric value 2.2250738585072011e-308 was reported [1]. If a script were to assign this value to a variable, it could cause PHP to hang (infinite loop). This issue has been fixed in upstream PHP [2] 5.2.17 and 5.3.5. [1] http://bugs.php.net/53632 [2] http://svn.php.net/viewvc?view=revision&revision=307095 Reply at: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/697181/comments/4 On 2011-01-06T20:56:55+00:00 Vincent wrote: I have not been able to reproduce this on RHEL4 (4.3.9) or RHEL5 (5.1.6) on x86. I have reproduced it on RHEL6 (5.3.2) and Fedora 14 (5.3.4), both x86. It does not reproduce on Fedora 14 x86_64, so this is x86-only. Reply at: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/697181/comments/5 On 2011-01-06T21:11:38+00:00 Michał wrote: Please add also r307168 | pajoye | 2011-01-06 18:08:46 +0100 (czw) | 1 linia - fix vc6 random behavior for Fix bug #53632 with x87 fpu Reply at: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/697181/comments/6 On 2011-01-07T00:24:29+00:00 Vincent wrote: Note that upstream has put up a checking script to see if your system is vulnerable: http://www.php.net/distributions/test_bug53632.txt Reply at: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/697181/comments/7 On 2011-01-07T08:54:21+00:00 Joe wrote: Michal, r307168 is MSVC-specific and won't have any effect on Linux. Reply at: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/697181/comments/8 On 2011-02-03T18:56:33+00:00 errata-xmlrpc wrote: This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:0195 https://rhn.redhat.com/errata/RHSA-2011-0195.html Reply at: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/697181/comments/14 On 2011-02-03T19:17:11+00:00 errata-xmlrpc wrote: This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2011:0196 https://rhn.redhat.com/errata/RHSA-2011-0196.html Reply at: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/697181/comments/15 On 2011-02-03T19:28:28+00:00 Vincent wrote: Statement: This issue leads to a temporary denial of service (high CPU consumption) when a PHP script handles numeric values from untrusted user input. It does not affect the versions of PHP as shipped with Red Hat Enterprise Linux 3, 4 or 5. It did affect the PHP 5.3 (php53) package on Red Hat Enterprise Linux 5. Reply at: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/697181/comments/16 ** Changed in: php5 (Fedora) Status: Unknown => Fix Released ** Changed in: php5 (Fedora) Importance: Unknown => Medium -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/697181 Title: DoS: Infinite loop processing 2.2250738585072011e-308 To manage notifications about this bug go to: https://bugs.launchpad.net/php/+bug/697181/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 697181] Re: DoS: Infinite loop processing 2.2250738585072011e-308
** Branch linked: lp:ubuntu/hardy-updates/php5 ** Branch linked: lp:ubuntu/php5 ** Branch linked: lp:ubuntu/dapper-updates/php5 ** Branch linked: lp:ubuntu/maverick-security/php5 ** Branch linked: lp:ubuntu/karmic-security/php5 ** Branch linked: lp:ubuntu/lucid-security/php5 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/697181 Title: DoS: Infinite loop processing 2.2250738585072011e-308 To manage notifications about this bug go to: https://bugs.launchpad.net/php/+bug/697181/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 697181] Re: DoS: Infinite loop processing 2.2250738585072011e-308
This bug was fixed in the package php5 - 5.3.2-1ubuntu4.6 --- php5 (5.3.2-1ubuntu4.6) lucid-security; urgency=low * SECURITY UPDATE: open_basedir bypass - debian/patches/php5-CVE-2010-3436.patch: more strict checking in php_check_specific_open_basedir() - CVE-2010-3436 * SECURITY UPDATE: NULL pointer dereference crash - debian/patches/php5-CVE-2010-3709.patch: check for NULL when getting zip comment - CVE-2010-3709 * SECURITY UPDATE: memory consumption denial of service - debian/patches/php5-CVE-2010-3710.patch: check for email address longer than RFC 2821 allows - CVE-2010-3710 * SECURITY UPDATE: xml decode bypass - debian/patches/php5-CVE-2010-3870.patch: improve utf8 decoding - CVE-2010-3870 * SECURITY UPDATE: integer overflow can cause an application crash - debian/patches/php5-CVE-2010-4409.patch: fix invalid args in NumberFormatter::getSymbol() - CVE-2010-4409 * SECURITY UPDATE: infinite loop/denial of service when dealing with certain textual forms of MAX_FLOAT (LP: #697181) - debian/patches/php5-CVE-2010-4645.patch: treat local doubles as volatile to avoid x87 registers in zend_strtod() - CVE-2010-4645 -- Steve BeattieFri, 07 Jan 2011 10:56:23 -0800 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/697181 Title: DoS: Infinite loop processing 2.2250738585072011e-308 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 697181] Re: DoS: Infinite loop processing 2.2250738585072011e-308
This bug was fixed in the package php5 - 5.3.3-1ubuntu9.2 --- php5 (5.3.3-1ubuntu9.2) maverick-security; urgency=low * SECURITY UPDATE: open_basedir bypass - debian/patches/php5-CVE-2010-3436.patch: more strict checking in php_check_specific_open_basedir() - CVE-2010-3436 * SECURITY UPDATE: NULL pointer dereference crash - debian/patches/php5-CVE-2010-3709.patch: check for NULL when getting zip comment - CVE-2010-3709 * SECURITY UPDATE: memory consumption denial of service - debian/patches/php5-CVE-2010-3710.patch: check for email address longer than RFC 2821 allows - CVE-2010-3710 * SECURITY UPDATE: xml decode bypass - debian/patches/php5-CVE-2010-3870.patch: improve utf8 decoding - CVE-2010-3870 * SECURITY UPDATE: memory disclosure - debian/patches/php5-CVE-2010-4156.patch: check for excessive length in mb_strcut() - CVE-2010-4156 * SECURITY UPDATE: integer overflow can cause an application crash - debian/patches/php5-CVE-2010-4409.patch: fix invalid args in NumberFormatter::getSymbol() - CVE-2010-4409 * SECURITY UPDATE: infinite loop/denial of service when dealing with certain textual forms of MAX_FLOAT (LP: #697181) - debian/patches/php5-CVE-2010-4645.patch: treat local doubles as volatile to avoid x87 registers in zend_strtod() - CVE-2010-4645 -- Steve BeattieWed, 05 Jan 2011 22:45:19 -0800 ** Changed in: php5 (Ubuntu Maverick) Status: Confirmed => Fix Released ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2010-3436 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2010-3709 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2010-3710 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2010-3870 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2010-4156 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2010-4409 ** Changed in: php5 (Ubuntu Lucid) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/697181 Title: DoS: Infinite loop processing 2.2250738585072011e-308 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 697181] Re: DoS: Infinite loop processing 2.2250738585072011e-308
** Changed in: php5 (Debian) Status: Unknown => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/697181 Title: DoS: Infinite loop processing 2.2250738585072011e-308 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 697181] Re: DoS: Infinite loop processing 2.2250738585072011e-308
This bug was fixed in the package php5 - 5.3.3-1ubuntu12 --- php5 (5.3.3-1ubuntu12) natty; urgency=low * debian/patches/fix-upstream-bug53632.patch: Fix infinite loop bug (php bug #53632) (LP: #697181) -- Chuck ShortFri, 07 Jan 2011 12:57:59 -0500 ** Changed in: php5 (Ubuntu Natty) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/697181 Title: DoS: Infinite loop processing 2.2250738585072011e-308 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 697181] Re: DoS: Infinite loop processing 2.2250738585072011e-308
** Description changed: Binary package hint: php5 Processing certain textual forms of MAX_FLOAT leads to an infinite loop/hang/DoS: php -r "print 2.2250738585072011e-308;" hangs indefinitely, whereas: php -r "print 2.2250738585072010e-308;" returns immediately. Confirmed for natty/php5-cli=5.3.3-1ubuntu11 Fixed in new upstream releases: - http://www.php.net/ChangeLog-5.php#5.3.4 - http://www.php.net/releases/5_2_17.php + http://www.php.net/ChangeLog-5.php#5.3.5 + http://www.php.net/releases/5_2_17.php -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/697181 Title: DoS: Infinite loop processing 2.2250738585072011e-308 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 697181] Re: DoS: Infinite loop processing 2.2250738585072011e-308
Maybe it is related to some compiler flags? (e.g. it can be worked around by using "-ffloat-store" in CFLAGS). See http://news.ycombinator.com/item?id=2066084 for more discussion. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/697181 Title: DoS: Infinite loop processing 2.2250738585072011e-308 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 697181] Re: DoS: Infinite loop processing 2.2250738585072011e-308
I've confirmed that marking the double variables as volatile in maverick's php causes the infinite loop not to get triggered on i386 (and think I understand why that's the case). However, attempts to reproduce the issue with php from 9.10 (karmic), 8.04 (hardy), and 6.06 (dapper) fail for no apparent reason -- the zend_strtod.c code is nearly identical between karmic and lucid's versions. Does anyone have an indication as to what's different that woul cause this issue not to be triggered on older releases? Thanks. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/697181 Title: DoS: Infinite loop processing 2.2250738585072011e-308 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 697181] Re: DoS: Infinite loop processing 2.2250738585072011e-308
** Changed in: php5 (Ubuntu Maverick) Assignee: (unassigned) => Steve Beattie (sbeattie) ** Changed in: php5 (Ubuntu Lucid) Assignee: (unassigned) => Steve Beattie (sbeattie) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/697181 Title: DoS: Infinite loop processing 2.2250738585072011e-308 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 697181] Re: DoS: Infinite loop processing 2.2250738585072011e-308
** Bug watch added: Red Hat Bugzilla #667806 https://bugzilla.redhat.com/show_bug.cgi?id=667806 ** Also affects: php5 (Fedora) via https://bugzilla.redhat.com/show_bug.cgi?id=667806 Importance: Unknown Status: Unknown ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2010-4645 ** Description changed: Binary package hint: php5 Processing certain textual forms of MAX_FLOAT leads to an infinite loop/hang/DoS: php -r "print 2.2250738585072011e-308;" hangs indefinitely, whereas: php -r "print 2.2250738585072010e-308;" returns immediately. Confirmed for natty/php5-cli=5.3.3-1ubuntu11 + + Fixed in new upstream releases: + + http://www.php.net/ChangeLog-5.php#5.3.4 + http://www.php.net/releases/5_2_17.php ** Bug watch added: Debian Bug tracker #609007 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=609007 ** Also affects: php5 (Debian) via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=609007 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/697181 Title: DoS: Infinite loop processing 2.2250738585072011e-308 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 697181] Re: DoS: Infinite loop processing 2.2250738585072011e-308
Confirmed in Ubuntu 10.04 "lucid" using: echo '' | time -p php5 which hangs. Ubuntu 8.04 "hardy" does not hang. ** Changed in: php5 (Ubuntu Lucid) Status: Incomplete => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/697181 Title: DoS: Infinite loop processing 2.2250738585072011e-308 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 697181] Re: DoS: Infinite loop processing 2.2250738585072011e-308
And there's a patch: Fix: http://svn.php.net/viewvc?view=revision&revision=307095 Test case: http://svn.php.net/viewvc?view=revision&revision=307097 See: http://bugs.php.net/bug.php?id=53632 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/697181 Title: DoS: Infinite loop processing 2.2250738585072011e-308 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 697181] Re: DoS: Infinite loop processing 2.2250738585072011e-308
** Also affects: php5 (Ubuntu Lucid) Importance: Undecided Status: New ** Also affects: php5 (Ubuntu Maverick) Importance: Undecided Status: New ** Also affects: php5 (Ubuntu Natty) Importance: Undecided Status: Confirmed ** Changed in: php5 (Ubuntu Maverick) Status: New => Confirmed ** Changed in: php5 (Ubuntu Lucid) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/697181 Title: DoS: Infinite loop processing 2.2250738585072011e-308 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 697181] Re: DoS: Infinite loop processing 2.2250738585072011e-308
Confirmed on Ubuntu 10.10+ 32bit php --version PHP 5.3.3-1ubuntu9.1 with Suhosin-Patch (cli) (built: Oct 15 2010 14:17:04) Copyright (c) 1997-2009 The PHP Group Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies with Suhosin v0.9.31, Copyright (c) 2007-2010, by SektionEins GmbH see also: http://www.exploringbinary.com/php-hangs-on-numeric-value-2-2250738585072011e-308/ ** Changed in: php5 (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/697181 Title: DoS: Infinite loop processing 2.2250738585072011e-308 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs