Suhosin 0.9.20 and crypt() Thread Safety Vulnerability
at 2007-08-12 15:10:20
I just released Suhosin 0.9.20 that adds a few new features and bugfixes. The most important addition is that a mutex is placed around the call to the system's crypt() function to ensure thread safety. This mutex is necessary to close a bunch of possible attacks on the libc crypt() function on multi threaded systems.
Because the libc crypt() function (and also the PHP port for windows) is not thread safe there exists a race condition that can be exploited on multi threaded systems. When for example two threads are trying to validate passwords through crypt() at the same time they are using the same internal memory area which can result in both crypt() actions returning invalid results or the result of the one operation can overwrite the result of the other. It is obvious that in this case a thread using a wrong password will return the correct crypted password i
PHP 4 - Reference Counter Overflow Fix
at 2007-08-12 15:10:20
Because the PHP developers do not want to fix the PHP 4 Reference Counter Overflow Vulnerability that was disclosed during the Month of PHP Bugs the Hardened-PHP Project as usual had to step in to protect the users of PHP.
I created a patch for the refcount overflow problem that took about 30 minutes to develop and that fixes the problem without breaking binary compatibility. Something that is according to claims of Zend Engine developer and Zend employee Stanislav Malyshev not possible at the moment. You can apply it directly or wait until it was ripped and merged into the default PHP CVS after it was relabled as the work of the PHP developers.
PHP 5.2.3 released...
at 2007-08-12 15:10:20
PHP 5.2.3 was released with several security fixes.
Again not all security fixes are mentioned in the release announcement.
Again security bugs known to the developers were not correctly fixed.
More info here.
PS: Why does PHP.net always release security fixes just before the weekend?
UPDATE: Antony Dogval from Zend meanwhile wrote a blog entry where he comments on this blog entry. He claims that I did not tell the PHP developers how to fix the issue. I love it how members of the PHP development team that do not receive the mails to security@php.net try to convince the world that I never sent those mails. I wrote atleast 2 times in the conversation about the described bug that the problem is because the session id is not encoded. I am not the p
Google for me and get Zend
at 2007-08-12 15:10:20
Brought to you from one of the comments in my blog. 
Google for "Stefan Esser" and get a sponsored link for Zend.
http://www.google.com/search?q=%22Stefan+Esser%22
Update: It seems for now their budget is gone. My name is free again.
Chunk_split() Overflow not fixed at all...
at 2007-08-12 15:10:20
If you are one of the guys that read the PHP CVS commits you usually know about the security bugs months before the rest of the community and this is no news for you. During the last 24h the following fix was merged into the PHP CVS. Corrected fix for CVE-2007-2872
This fixes the chunk_split() overflow (found by SEC-CONSULT) that was according to the PHP 5.2.3 release notes already fixed. The original fix was however not only broken but complete nonsense. If you can read C you will see that the integer overflow was not fixed in PHP 5.2.3 but simply moved into a separate line and an additional bogus if clause was added.<
|