Re: The GNU C Library security advisories update for 2024-04-17: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence

[Erik Auerswald <auerswal () unix-ag uni-kl de>]

Hi,

On Mon, May 27, 2024 at 12:31:46PM +0200, Florian Weimer wrote:
> > Although very late, here is a follow up explaining the impact of the
> > vulnerability.
> >
> > Provided that you can force an application to convert a partially
> > controlled buffer to ISO-2022-CN-EXT, you get an
> > overflow of 1 to 3 bytes whose value you don't control.
> >
> > This can be triggered in at least two ways in PHP:
> >
> > - Through direct calls to iconv()
> > - Through the use of PHP filters (i.e. using a "file read" vulnerability)
> >
> > Due to the way PHP's heap is built, you can use such a memory
> > corruption to alter part of a free list pointer,
> > which can in turn give you an arbitrary write primitive in the
> > program's memory.
> >
> > With this bug, any person that has a file read vulnerability with a
> > controlled prefix on a PHP application has RCE.
>
> Out of curiosity, why would PHP translate a file to ISO-2022-CN-EXT
> while reading it?  It's not even an ASCII-transparent charset.

According to <https://www.ambionics.io/blog/iconv-cve-2024-2961-p1>, PHP
can be told to do so via "php://filter/…", a default behavior of PHP,
it seems (I have just skimmed that page and do not know any details).

HTH,
Erik