Page MenuHomePhabricator

Loops can cause php-fpm exhaustion (CVE-2021-42040)
Closed, ResolvedPublicSecurity

Description

In https://phabricator.miraheze.org/T7695,

Extension:Loops has a loop counter that should prevent a loop from executing more than 100 times. > However, simply creating a page with:
{{#while:|true|}}
causes it to loop indefinitely, which hangs php-fpm and consumes all available resources.

Details

Author Affiliation
Other (Please specify in description)

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald Transcript
RhinosF1 added a subscriber: Southparkfan.

Tentatively high as this caused significant performance issues lasting hours

sbassett added a subscriber: sbassett.

Untagging Security-Team for now. If someone posts a patch for review or this gets to the point where it should be a part of the supplemental security announcement, we can help out with that and track as appropriate.

+1 to the patch above. Since ext:Loops isn't deployed on WMF infrastructure, there's nothing for the Security-Team to do regarding deployment, but we'd recommend:

  1. Careful disclosure of this issue and patch to other operators of ext:Loops prior to backporting
  2. Tracking this issue for the next supplemental security release (T285414)

I'm going to try and find someone with time so we can still get back ports out as soon as Jenkins allows us to reduce the wait after the patch is uploaded

@sbassett: can you request a CVE?

Yes, though I typically wait until the supplemental security release comes out, which is usually around the end of the quarter (September 30, 2021 being the next end of quarter for the WMF).

It has my +2 but I can't say if it's good enough to go through gerrit or not. I leave that to the security team on which method is better to handle this security patch.

...I can't say if it's good enough to go through gerrit or not. I leave that to the security team on which method is better to handle this security patch.

For these types of extensions - non-bundled, non-Wikimedia-deployed - the Security-Team typically leaves the decision on the timing of backports to the current maintainers, and then attempts to track them within the quarterly supplemental security announcement. Ideally, some general version of the following steps would be followed by the current maintainers, but given limited resources and imperfect/impossible tracking of where such extensions are production-deployed outside of Wikimedia, they merely serve as guidance:

  1. A private task is filed in Phabricator fully describing the issue (done here)
  2. A security patch is written and posted for review on said private task (done here)
  3. Once approved, the issue and security patch are disclosed and provided to relevant MediaWiki operators (difficult)
  4. Any relevant backports, including to master, are performed within gerrit (or github or wherever)
  5. The issue and all relevant information (including any requested CVEs) are disclosed a second time via the quarterly supplemental security announcement for increased visibility (the Security-Team is happy to help with this piece)
sbassett lowered the priority of this task from High to Low.Jul 28 2021, 8:35 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".

With the patch merged, is there anything immediately left to do here?

With the patch merged, is there anything immediately left to do here?

Still needs a CVE & to be included in the next security announcement.

...

  1. Tracking this issue for the next supplemental security release (T285414)

Turns out I never did this, sorry about that. Anyhow, it's there now. With this task being public and the backports merged, this can definitely be resolved. I like to leave tasks like this open, so that I remember there's something still left to do (CVE) for the supplemental announcement. But that's definitely not a big deal, and if this is cluttering other peoples' boards, etc., it should be resolved.

sbassett renamed this task from Loops can cause php-fpm exhaustion to Loops can cause php-fpm exhaustion (CVE-2021-42040).Oct 7 2021, 8:35 PM