PHP 4 - Reference Counter Overflow Fix

Sunday, May 20. 2007

Sunday, May 20. 2007



Because the PHP developers do not want to fix the PHP 4 Reference Counter Overflow Vulnerability that was disclosed during the Month of PHP Bugs the Hardened-PHP Project as usual had to step in to protect the users of PHP.


I created a patch for the refcount overflow problem that took about 30 minutes to develop and that fixes the problem without breaking binary compatibility. Something that is according to claims of Zend Engine developer and Zend employee Stanislav Malyshev not possible at the moment. You can apply it directly or wait until it was ripped and merged into the default PHP CVS after it was relabled as the work of the PHP developers.


Posted by Stefan Esser in Security, PHP at 15:06
Comments (11)
Link to this post


Comments
Display comments as (Linear | Threaded)

#1 Martin ()
Slightly OT: I like your sense for sarcasm.
posted on Sunday, May 20. 2007
#2 Robert ()
While it seems you're trying to do the right thing, do you honestly think it helps to continually pat yourself on the back and call people out by name? Just say you made a patch, and leave it at that.
posted on Sunday, May 20. 2007
#2.1 Stefan Esser wrote (Link) ()
Robert,

if you don't like how I release my patch then there is a simple solution: Don't use it and stay vulnerable.

BTW: Stanislav requested personally on the internal list that I stop saying the PHP developers do this and that, because they are all individuals. He now simply gets what he asked for.
posted on Sunday, May 20. 2007
#2.2 Andrew ()
Personally I have no problems with Stefan's arrogance as there is no one that is as capable as he is. I appreciate the work he does to find and fix these security bugs in PHP.

Also, it makes the blog more entertaining ;-).
posted on Monday, May 21. 2007
#2.2.1 flop ()
I totally agree with you!
posted on Wednesday, May 30. 2007
#3 Stanislav Malyshev ()
I would advise for people that care for performance of their PHP and for fixing the problem for real not to apply this patch, since it adds a load of function calls, totally unneeded btw, and does not cover all the cases.

Why Stefan decided to publish this patch even though much better one was published on PHP lists _and_ tested for performance (which, contrary to what I previously thought, proved to be acceptable) _and_ accounts for other places in PHP that are not covered by Stefan's patch - remains a mystery to me.
See here for the patch:
http://news.php.net/php.internals/29582
posted on Wednesday, May 23. 2007
#3.1 Stefan Esser wrote (Link) ()
First of all it is not necessary to catch all the places. This isn't possible anyway because of non behaving PHP/Zend extensions.

And Stas I suggest that you stop making a fool out of yourself.

This blogposting was posted BEFORE the SuSE patch was posted to internals and that is the reason why I post my patch.

Ohh btw... you can criticize my work the whole day long. I made it pretty much clear that I developed it in 30 minutes as proof of concept to dismantle your lie that a fix is NOT POSSIBLE. Oh wait. The PHP developers had only 2.5 months time to develop something and came up with NOTHING.
posted on Wednesday, May 30. 2007
#3.1.1 Stanislav Malyshev ()
"This blogposting was posted BEFORE the SuSE patch was posted to internals"

So, I presume now that you know there's a much better patch you surely mentioned it in your post? Or at least you mentioned in your post that your patch is inferior and may have problems with both performance and reliability (since there are still places where refcounts are modified in extensions and you didn't touch them)?

Oh wait. You didn't. Why bother.
posted on Friday, June 1. 2007
#3.1.1.1 Stefan Esser wrote (Link) ()
Stanislav I already commented on the SuSE patch on the internals list.

My patch might be slower because it was a proof of concept of something you obviously were not able to produce in 2.5 months.

However I already commented about the fact that just calling zend_error() when a security violation is triggered is another potential security problem.

I know that you don't understand the basic concepts of security. You proof it everyday in your nonsense comments in my blog and on the internals list.
posted on Friday, June 1. 2007
#4 dlx wrote (Link) ()
Lovely !
Give it to them, the "PHP developers" deserve it. Go Stefan, Go.
Thanks for you work, and thanks for bashing the "PHP developers".
posted on Wednesday, May 23. 2007
#5 php wrote (Link) ()
Don't do it.
posted on Friday, May 25. 2007

Add Comment

Standard emoticons like :-) and ;-) are converted to images.
 

Submitted comments will be subject to moderation before being displayed.
 
Calendar
Back September '09
Mon Tue Wed Thu Fri Sat Sun
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30        
Archives
September 2009
August 2009
July 2009
Recent...
Older...
Categories

All categories
Syndicate This Blog
Protected By

Hardening-Patch for PHP