PDA

View Full Version : [ubuntu] Needing advice on patching PHP in relation to CVE-2011-1938



sduncan84
July 19th, 2011, 07:32 AM
A bit of a newbie question with these sorts of things, but I'm currently running 11.10 and have php 5.3.6-11ubuntu1 installed and I'm trying to figure out what steps I need to take to either a) apply a patch for http://svn.php.net/viewvc?view=revision&revision=311369 or upgrade to php > 5.3.6. Since I've installed the php5 binary, I wasn't sure of the correct route to take here.

Any and all help is greatly appreciated!

bodhi.zazen
July 19th, 2011, 07:35 PM
You will need to either wait for the Ubuntu team to release an updated .deb (hint file a bug report) or apply the patch yourself and compile php.

If you have to ask, I suspect you do not know how to compile php, and IMO php is not the best first application to patch, so I suggest you file a bug report.

Chayak
July 19th, 2011, 07:36 PM
A bit of a newbie question with these sorts of things, but I'm currently running 11.10 and have php 5.3.6-11ubuntu1 installed and I'm trying to figure out what steps I need to take to either a) apply a patch for http://svn.php.net/viewvc?view=revision&revision=311369 or upgrade to php > 5.3.6. Since I've installed the php5 binary, I wasn't sure of the correct route to take here.

Any and all help is greatly appreciated!

PHP 5.3.6 is the current stable release. If you upgrade manually to the RC build then you risk breaking updates though apt-get.

Have you checked the security patches already in the repo? They're normally quick to get patches out on issues like that.
http://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-1938.html

It's a stack based exploit and Ubuntu along with most modern distributions have stack protection at the kernel level and compiled into the code. I found this out the hard way when I was in a class at Blackhat and couldn't get an example to work. I'm not going to post instructions how but you have to turn off a number of protective features and recompile code with flags to disable GCC's (actually glibc's) stack smashing protection just to get stack based exploits to work.
Here's the wiki page explaining them.
https://wiki.ubuntu.com/Security/Features

You'll drive yourself nuts if you try and manually patch everything with unreleased code as it can break things more often than not. Apparmor is there for that type of thing so make sure it's set up. When they release the PHP update it'll be upgraded in the repo fairly quickly.

bodhi.zazen
July 19th, 2011, 07:59 PM
You'll drive yourself nuts if you try and manually patch everything with unreleased code as it can break things more often than not. Apparmor is there for that type of thing so make sure it's set up.

sage advice

sduncan84
July 19th, 2011, 08:06 PM
PHP 5.3.6 is the current stable release. If you upgrade manually to the RC build then you risk breaking updates though apt-get.

Have you checked the security patches already in the repo? They're normally quick to get patches out on issues like that.
http://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-1938.html

You'll drive yourself nuts if you try and manually patch everything with unreleased code as it can break things more often than not. Apparmor is there for that type of thing so make sure it's set up. When they release the PHP update it'll be upgraded in the repo fairly quickly.
Driving myself crazy is exactly what I'm wanting to avoid. For now, I've disabled socket_* functions in php.ini and I'm going to be submitting a bug in regards to this CVE...I haven't seen a security update for it, but I may have overlooked it.

Chayak
July 19th, 2011, 09:07 PM
Alright just to test the stack protection against the vulnerability I wrote some quick code to exploit it. The stack protection caught it as expected.

No I will not post the code so don't ask. I did this just to show that it's not the end of the world if someone manages to run the exploit on your system. It'll terminate that PHP instance and the system will continue like nothing happened.

I executed the script with php-cli, PHP 5.3.6, on an Ubuntu 11.04 desktop.


CVE-2011-1938 PHP socket_connect() overflow exploit
Smashing the stack!
*** buffer overflow detected ***: php terminated
======= Backtrace: =========
/lib/i386-linux-gnu/libc.so.6(__fortify_fail+0x50)[0xafddf0]
/lib/i386-linux-gnu/libc.so.6(+0xe4cca)[0xafccca]
php[0x81ef777]
php[0x835fe3e]
php(execute+0x1bc)[0x833910c]
php(zend_execute_scripts+0x58)[0x8312448]
php(php_execute_script+0x1de)[0x82b76de]
php[0x83b2274]
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xe7)[0xa2ee37]
php[0x8067261]
======= Memory map: ========
<snip>