FS#57579 - [php-fpm] CVE-2015-9253

Attached to Project: Arch Linux
Opened by Karol Babioch (kbabioch) - Tuesday, 20 February 2018, 10:29 GMT
Last edited by Pierre Schmitz (Pierre) - Sunday, 25 August 2019, 09:01 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To Pierre Schmitz (Pierre)
Levente Polyak (anthraxx)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

An issue was discovered in PHP through 7.2.2. The php-fpm master process restarts a child process in an endless loop when using program execution functions (e.g., passthru, exec, shell_exec, or system) with a non-blocking STDIN stream, causing this master process to consume 100% of the CPU, and consume disk space with a large volume of error logs, as demonstrated by an attack by a customer of a shared-hosting facility.

References:
https://bugs.php.net/bug.php?id=70185
https://bugs.php.net/bug.php?id=75968
https://www.futureweb.at/Futureweb-OG-php-fpm-master-process-restarts-child-process-in-a_pid,54177,type,firmeninfo.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9253
This task depends upon

Closed by  Pierre Schmitz (Pierre)
Sunday, 25 August 2019, 09:01 GMT
Reason for closing:  Fixed
Comment by Remi Gacogne (rgacogne) - Sunday, 23 September 2018, 15:09 GMT
According to https://github.com/php/php-src/commit/69dee5c732fe982c82edb17d0dbc3e79a47748d8 this was fixed in 7.2.8 so we should be fine since 7.2.8-1.

Loading...