Patch in PHP 5.2.3 ineffective
PHP version 5.2.3 released at the beginning of the month purported to eliminate a security vulnerability in the chunk_split() function that splits strings into user-defined substrings. However, according to the PHP security specialist and co-initiator of the [ticker:uk_87461 Month of PHP Bugs] Stefan Esser, this is actually not the case. According to Esser, the original fix was not only malfunctional, but more or less even nonsense, since it only pushed the fundamental problem, an integer overflow, into another line in the source code. An additional fix has been now developed which is supposed to finally eliminate the bug - thus far, however, it has been reported officially only in CVS from PHP.
Esser is deliberating whether the original discoverer of the vulnerability or the Linux distributors might have made the PHP developers aware of the problem. After all, Linux distributors, with their regression tests which check performance and for old bugs that repeatedly creep in, do a good job. The vulnerability in chunk_split() causes a heap overflow which, in the best-case scenario, causes the PHP processes to crash. It may then be possible to thereby inject and execute code.
The patch to the patch is apparently not completely bug free either - the amount of memory to be assigned is calculated using a float, then typecast to an integer. For very large numbers this can result in a number which is smaller than that required. This would result in too little memory being reserved.
- Chunk_split() overflow not fixed at all..., blog entry from Stefan Esser
- PHP chunk_split() integer overflow, error report from Sec-Consult