Bug 1154500 (CVE-2014-3669)

Summary: CVE-2014-3669 php: integer overflow in unserialize()
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: chazlett, fedora, fkrska, jorton, jrusnack, mmaslano, rcollet, sebastian.leitz, vdanen, webstack-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: php 5.4.34, php 5.5.18, php 5.6.2 Doc Type: Bug Fix
Doc Text:
An integer overflow flaw was found in the way custom objects were unserialized. Specially crafted input processed by the unserialize() function could cause a PHP application to crash.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2014-11-06 17:59:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1154638, 1154639, 1155019, 1155020, 1155021, 1155022, 1155023, 1155024, 1170147    
Bug Blocks: 1149858, 1154506    

Description Murray McAllister 2014-10-20 04:17:05 UTC 
An integer overflow flaw in PHP's unserialize() function was reported. If unserialize() were used on untrusted data, this issue could lead to a crash or potentially information disclosure. It is not clear if code execution is possible or not.

It was reported that this issue only affects 32-bit systems. It has been fixed in upstream versions 5.4.34, 5.5.18, and 5.6.2.

References:
http://git.php.net/?p=php-src.git;a=commit;h=56754a7f9eba0e4f559b6ca081d9f2a447b3f159
https://bugs.php.net/bug.php?id=68044
http://php.net/ChangeLog-5.php
Comment 2 Murray McAllister 2014-10-20 04:23:28 UTC 
5.5.18 is already in Fedora testing, so no Fedora trackers for this (or bug 1154502 and bug 1154503)
Comment 9 Tomas Hoger 2014-10-21 11:50:19 UTC 
(In reply to Murray McAllister from comment #0)
> It was reported that this issue only affects 32-bit systems.

This issue does not seem to be 32-bit specific per se.  Problematic code check is:

  pointer1 + long >= pointer2

Attacker providing crafted serialized input has full control over the long value.  As the variable is signed, and there is another check to ensure that its value is not negative, overflow can happen if pointer1 + long overflow.  That can only happen if pointer1 points to the upper half of the address range, as the maximum long value is approximately half of the maximum pointer value.  That is lot more likely on 32-bit systems than on 64-bit systems.  Attacker has limited control over pointer1.
Comment 13 Martin Prpič 2014-10-30 11:11:47 UTC 
IssueDescription:

An integer overflow flaw was found in the way custom objects were unserialized. Specially crafted input processed by the unserialize() function could cause a PHP application to crash.
Comment 14 errata-xmlrpc 2014-10-30 19:45:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5

Via RHSA-2014:1768 https://rhn.redhat.com/errata/RHSA-2014-1768.html
Comment 15 errata-xmlrpc 2014-10-30 19:47:01 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections 1 for Red Hat Enterprise Linux 7
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.5 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6

Via RHSA-2014:1766 https://rhn.redhat.com/errata/RHSA-2014-1766.html
Comment 16 errata-xmlrpc 2014-10-30 19:49:31 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections 1 for Red Hat Enterprise Linux 7
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.5 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6

Via RHSA-2014:1765 https://rhn.redhat.com/errata/RHSA-2014-1765.html
Comment 17 errata-xmlrpc 2014-10-30 20:16:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2014:1767 https://rhn.redhat.com/errata/RHSA-2014-1767.html
Comment 18 errata-xmlrpc 2014-11-06 17:01:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5

Via RHSA-2014:1824 https://rhn.redhat.com/errata/RHSA-2014-1824.html
Comment 20 errata-xmlrpc 2015-01-08 18:16:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.5 EUS - Server and Compute Node Only

Via RHSA-2015:0021 https://rhn.redhat.com/errata/RHSA-2015-0021.html