FS#57579 : [php-fpm] CVE-2015-9253

FS#57579 - [php-fpm] CVE-2015-9253

Attached to Project: Arch Linux
Opened by Karol Babioch (kbabioch) - Tuesday, 20 February 2018, 10:29 GMT
Last edited by Pierre Schmitz (Pierre) - Sunday, 25 August 2019, 09:01 GMT

Task Type	Bug Report
Category	Security
Status	Closed
Assigned To	Pierre Schmitz (Pierre) Levente Polyak (anthraxx)
Architecture	All
Severity	High
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	0
Private	No

Details

An issue was discovered in PHP through 7.2.2. The php-fpm master process restarts a child process in an endless loop when using program execution functions (e.g., passthru, exec, shell_exec, or system) with a non-blocking STDIN stream, causing this master process to consume 100% of the CPU, and consume disk space with a large volume of error logs, as demonstrated by an attack by a customer of a shared-hosting facility.

References:
https://bugs.php.net/bug.php?id=70185
https://bugs.php.net/bug.php?id=75968
https://www.futureweb.at/Futureweb-OG-php-fpm-master-process-restarts-child-process-in-a_pid,54177,type,firmeninfo.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9253

This task depends upon

Closed by Pierre Schmitz (Pierre)
Sunday, 25 August 2019, 09:01 GMT
Reason for closing: Fixed

Comment by Remi Gacogne (rgacogne) - Sunday, 23 September 2018, 15:09 GMT

According to https://github.com/php/php-src/commit/69dee5c732fe982c82edb17d0dbc3e79a47748d8 this was fixed in 7.2.8 so we should be fine since 7.2.8-1.

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#57579 - [php-fpm] CVE-2015-9253

Details

Loading...