Bug 1185397 (CVE-2015-0231)

Summary: CVE-2015-0231 php: use after free vulnerability in unserialize() (incomplete fix of CVE-2014-8142)
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bressers, fedora, glen, jorton, ksakai2, mmaslano, rcollet, webstack-team, wmealing
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: php 5.4.37, php 5.5.21, php 5.6.5 Doc Type: Bug Fix
Doc Text:
A use-after-free flaw was found in the way PHP's unserialize() function processed data. If a remote attacker was able to pass crafted input to PHP's unserialize() function, they could cause the PHP interpreter to crash or, possibly, execute arbitrary code.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-09 21:44:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1204765, 1204766, 1205733, 1205734    
Bug Blocks: 1185412, 1210213    

Description Vasyl Kaigorodov 2015-01-23 16:01:23 UTC 
It was discovered that the fix for CVE-2014-8142 (use after free vulnerability in unserialize(), see bug 1175718) was incomplete.

Upstream bug:
https://bugs.php.net/bug.php?id=68710

Upstream commit:
http://git.php.net/?p=php-src.git;a=commitdiff;h=b585a3aed7880a5fa5c18e2b838fc96f40e075bd
Comment 1 Tomas Hoger 2015-01-30 20:15:43 UTC 
Fixed upstream in PHP 5.6.5, 5.5.21, and 5.4.37:

http://php.net/ChangeLog-5.php#5.6.5
http://php.net/ChangeLog-5.php#5.5.21
http://php.net/ChangeLog-5.php#5.4.37
Comment 2 ksakai2 2015-02-03 02:37:24 UTC 
When will updated package for php-5.3.3 in RHEL6 release?
Comment 3 Remi Collet 2015-02-03 06:14:42 UTC 
AS for CVE-2014-8142, PHP 5.3 is not affected but this vulnerability.
Comment 4 Elan Ruusamäe 2015-02-05 10:18:45 UTC 
(this is not redhat system below)

PHP 5.3.3 may not be affected, but my PHP 5.3.29 does crash:

[~/rpm/packages/php (PHP_5_3)⚡] ➔ gdb --args /usr/bin/php53  CVE-2015-0231.php 
GNU gdb (GDB) 7.8.1-1 (PLD Linux)
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-pld-linux".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/bin/php53...Reading symbols from /usr/lib/debug/usr/bin/php53.debug...done.
done.
(gdb) r
Starting program: /usr/bin/php53 CVE-2015-0231.php
warning: Could not load shared library symbols for linux-vdso.so.1.
Do you need "set solib-search-path" or "set sysroot"?
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
PHP Warning:  Cannot open '/usr/share/browscap/php_browscap.ini' for reading in Unknown on line 0
PHP 5.3.29 - php53-common-5.3.29-8.x86_64


Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7ca2644 in zend_get_class_entry (zobject=0x6ae558) at /usr/src/debug/php-5.3.29/Zend/zend_API.c:229
229             if (Z_OBJ_HT_P(zobject)->get_class_entry) {
(gdb) bt
#0  0x00007ffff7ca2644 in zend_get_class_entry (zobject=0x6ae558) at /usr/src/debug/php-5.3.29/Zend/zend_API.c:229
#1  0x00007ffff7b99732 in object_common2 (rval=0x7fffffff9f88, p=0x7fffffff9fa8, max=0x6a9b31 "", var_hash=0x7fffffff9fb0, elements=8)
    at /usr/src/debug/php-5.3.29/ext/standard/var_unserializer.c:374
#2  0x00007ffff7c3d678 in php_var_unserialize (rval=0x7fffffff9f88, p=0x7fffffff9fa8, max=0x6a9b31 "", var_hash=0x7fffffff9fb0)
    at /usr/src/debug/php-5.3.29/ext/standard/var_unserializer.c:684
#3  0x00007ffff7c2e886 in zif_unserialize (ht=<optimized out>, return_value=0x6ae558, return_value_ptr=<optimized out>, this_ptr=<optimized out>, 
    return_value_used=<optimized out>) at /usr/src/debug/php-5.3.29/ext/standard/var.c:936
#4  0x00007ffff7d2e60a in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff07bd068) at /usr/src/debug/php-5.3.29/Zend/zend_vm_execute.h:322
#5  0x00007ffff7ce4e43 in execute (op_array=0x6a9990) at /usr/src/debug/php-5.3.29/Zend/zend_vm_execute.h:107
#6  0x00007ffff7ca1b37 in zend_execute_scripts (type=7005528, type@entry=8, retval=0x6ad078, retval@entry=0x0, file_count=6322960, file_count@entry=3)
    at /usr/src/debug/php-5.3.29/Zend/zend.c:1331
#7  0x00007ffff7c4f86b in php_execute_script (primary_file=0x7fffffffc540) at /usr/src/debug/php-5.3.29/main/main.c:2331
#8  0x0000000000404182 in main (argc=7005528, argv=0x6ad078) at /usr/src/debug/php-5.3.29/sapi/cli/php_cli.c:1193
(gdb)
Comment 5 Elan Ruusamäe 2015-02-05 11:15:53 UTC 
if someone interested, then i found patches for 5.3.29 from here:
https://webtatic.com/news/2015/01/latest-updates-php-5-3-29-4-security-release/
https://repo.webtatic.com/yum/centos/5/SRPMS/repoview/php.html
Comment 6 Fedora Update System 2015-02-06 03:59:39 UTC 
php-5.6.5-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2015-02-06 04:03:24 UTC 
php-5.5.21-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Vincent Danen 2015-02-09 14:29:03 UTC 
Statement:

This issue did not affect the versions of php as shipped with Red Hat Enterprise Linux 5 and 6 or the versions of php53 as shipped with Red Hat Enterprise Linux 5 as the original flaw (CVE-2014-8142) did not affect these versions.
Comment 9 Remi Collet 2015-02-16 15:20:33 UTC 
I confirm that php 5.3.3 is not affected.
None of the upstream reproducer cause segfault (bug 68594, 68710)

The affected piece of code have been add in 5.3.9 [1]
So this CVE probably affects php >= 5.3.9.



[1] https://github.com/php/php-src/commit/d3fdacb99fab186654bdf2f3adb17d9c628202f0
Comment 13 errata-xmlrpc 2015-06-04 08:03:30 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.5 EUS

Via RHSA-2015:1066 https://rhn.redhat.com/errata/RHSA-2015-1066.html
Comment 14 errata-xmlrpc 2015-06-04 08:06:51 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.5 EUS

Via RHSA-2015:1053 https://rhn.redhat.com/errata/RHSA-2015-1053.html
Comment 15 errata-xmlrpc 2015-06-23 08:11:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:1135 https://rhn.redhat.com/errata/RHSA-2015-1135.html