oss-sec mailing list archives

CVE id request: another geshi issue (was: [oss-security] GeSHi: Clarification about the recent security (non-)issues (SA32559))

From: Nico Golde <oss-security+ml () ngolde de>
Date: Thu, 20 Nov 2008 13:04:49 +0100

Hi,
* Christian Hoffmann <hoffie () gentoo org> [2008-11-10 19:09]:

I was reading up on Secunia Advisory 32559 [1] and the related upstream
statement [2] and ChangeLog [3] and well, it left me with some mixed
impressions, what's true and what not, so I took a closer look.

[...] 
A more important issue has been silently fixed as well. Unfortunately 
I can not find a public reference or a changelog entry to it. 
A user can get geshi into an infinite loop and thus causing 
a DoS (php process will eat a lot CPU) by highlighting a 
crafted xml sequence. As a PoC '<' works.

The upstream fix for this is 
http://geshi.svn.sourceforge.net/viewvc/geshi/trunk/geshi-1.0.X/src/geshi.php?r1=1321&r2=1322&view=patch

Let me explain a little.
geshi.php:
   1520         $code = "\n" . $code . "\n";
    ..
   1523         $length           = strlen($code);
    ..
   1545             for ($i = 0; $i < $length; ++$i) {
   1546                 foreach ($this->language_data['SCRIPT_DELIMITERS'] as $delimiters) {
   1547                     foreach ($delimiters as $open => $close) {
   1548                         // Get the next little bit for this opening string
   1549                         $open_strlen = strlen($open);
   1550                         $check = substr($code, $i, $open_strlen);
   1551                         // If it matches...
   1552                         if ($check == $open) {
    ..
   1556                             $parts[$k][0] = $open;
   1557                             $close_i = strpos($code, $close, $i + $open_strlen)  + strlen($close);
   1558                             if ($close_i === false) {
   1559                                 $close_i = $length - 1;
   1560                             }
    ..
   1562                             $i = $close_i - 1;
    ..
   1569                         }
   1570                     }
   1571                 }

$this->language_data['SCRIPT_DELIMITERS'] is defined as an array of arrays that
holds start and end tags, in the case for xml this is holds a tuple ('<', '>')
and assigns them to $open and $close.

For < in line 1557 strpos will fail resulting in false because there is no
close tag.  Adding strlen($close) to it will result in $close_i being 1. In
line 1562 $i will be set $close_i - 1 resulting in 1 being 0. Loop starts again
and $i is 1 again -> infinite loop.

Steve, can you assign a CVE id to this? This should affect every version < 1.0.8.

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - nion () jabber ccc de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

Attachment: _bin
Description:

Current thread:

GeSHi: Clarification about the recent security (non-)issues (SA32559) Christian Hoffmann (Nov 10)
- Re: GeSHi: Clarification about the recent security (non-)issues (SA32559) Tomas Hoger (Nov 11)
- CVE id request: another geshi issue (was: [oss-security] GeSHi: Clarification about the recent security (non-)issues (SA32559)) Nico Golde (Nov 20)
  - Re: CVE id request: another geshi issue (was: [oss-security] GeSHi: Clarification about the recent security (non-)issues (SA32559)) Steven M. Christey (Nov 20)
- Re: GeSHi: Clarification about the recent security (non-)issues (SA32559) Steven M. Christey (Nov 20)