Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:32373 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 13936 invoked by uid 1010); 18 Sep 2007 21:47:43 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 13921 invoked from network); 18 Sep 2007 21:47:43 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 18 Sep 2007 21:47:43 -0000 Authentication-Results: pb1.pair.com header.from=seanius@seanius.net; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=seanius@seanius.net; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain seanius.net from 66.93.22.232 cause and error) X-PHP-List-Original-Sender: seanius@seanius.net X-Host-Fingerprint: 66.93.22.232 cobija.connexer.com Received: from [66.93.22.232] ([66.93.22.232:58954] helo=cobija.connexer.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id BB/4A-56209-E7740F64 for ; Tue, 18 Sep 2007 17:47:43 -0400 Received: from rangda.local (h-234-204.A189.cust.bahnhof.se [81.170.234.204]) by cobija.connexer.com (Postfix) with ESMTP id CBE1A17C2E1; Tue, 18 Sep 2007 17:47:39 -0400 (EDT) To: Stanislav Malyshev Date: Tue, 18 Sep 2007 23:48:55 +0200 User-Agent: KMail/1.9.7 Cc: internals@lists.php.net, team@security.debian.org, 442247@bugs.debian.org, 442250@bugs.debian.org References: <200709182130.44018.seanius@seanius.net> <200709182252.11222.seanius@seanius.net> <46F03B70.1040405@zend.com> In-Reply-To: <46F03B70.1040405@zend.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1583642.mFQ1gezzpp"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-ID: <200709182348.59077.seanius@seanius.net> Subject: Re: [PHP-DEV] CVE-2007-4840 From: seanius@seanius.net (sean finney) --nextPart1583642.mFQ1gezzpp Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline hi stanislav, (hope you don't mind i'm going to cc this off to a few addresses, no need t= o=20 keep them cc'd for further correspondance though) On Tuesday 18 September 2007 10:56:16 pm Stanislav Malyshev wrote: > > ah, so it's a glibc issue then? istr a similar thing come up with > > truetype fonts that ended up being a bug in the tr1 lib, but because the > > PoC used php it was classified as a php vulnerabity. if it's the same > > case here then i think the onus is on glibc... > > Well, I think we can still impose limit on iconv parameters, it doesn't > seem to hurt anything. But the problem is reproduceable in pure C... sure, understood. and yes, i can reproduce the problem too. it looks to m= e=20 like the underlying charsets passed to iconv_foo in libc are "converted"=20 using temporary memory allocated on the stack: =3D=3D=3D=3D=3D test program =3D=3D=3D=3D=3D=3D #include #include int main(int argc, char **argv){ char tmpbuf[2991371]; char tmpbuf2[2991371]; memset(tmpbuf, '/', 2991370); memset(tmpbuf2, '/', 2991370); tmpbuf[2991370] =3D '\0'; tmpbuf2[2991370] =3D '\0'; iconv_open(tmpbuf, tmpbuf2); } =3D=3D=3D=3D=3D iconv/iconv_open.c =3D=3D=3D=3D=3D iconv_t iconv_open (const char *tocode, const char *fromcode) { char *tocode_conv; char *fromcode_conv; size_t tocode_len; size_t fromcode_len; __gconv_t cd; int res; /* Normalize the name. We remove all characters beside alpha-numeric, '_', '-', '/', '.', and ':'. */ tocode_len =3D strlen (tocode); tocode_conv =3D (char *) alloca (tocode_len + 3); .... =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D so it's not surprising that big strings could end up being problematic... sean --nextPart1583642.mFQ1gezzpp Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQBG8EfLynjLPm522B0RAv1cAJ9BLqsI4mNF6u4L/n65XN6uShcKQACffP2/ rFAEPopKNljwP2b8cB/Kbks= =YyUt -----END PGP SIGNATURE----- --nextPart1583642.mFQ1gezzpp--