Bug 1194741

Summary: php: double free in apprentice_map() when Zend Memory Management disabled
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bgollahe, bleanhar, carnil, ccoleman, dmcphers, falonso, fedora, jdetiber, jialiu, jkeck, jokerman, jorton, kanderso, kseifried, lmeyer, mmaslano, mmccomas, rcollet, webstack-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: php 5.5.22, php 5.6.6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-30 09:34:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1194715    

Description Vasyl Kaigorodov 2015-02-20 16:30:04 UTC 
It was reported [1] that when PHP is running with Zend Memory Management disabled, "fileinfo" extension might free() a region of memory twice.
Upstream commit that fixes this:
http://git.php.net/?p=php-src.git;a=commit;h=91aa340180eccfc15d4a143b54d47b8120f898be

[1]: https://bugs.php.net/bug.php?id=68827
Comment 1 Francisco Alonso 2015-03-10 14:32:07 UTC 
Fixed upstream in PHP 5.6.6 and 5.5.22:

http://php.net/ChangeLog-5.php#5.6.6
http://php.net/ChangeLog-5.php#5.5.22
Comment 2 Francisco Alonso 2015-03-30 09:34:20 UTC 
Statement:

Red Hat Product Security does not consider this bug to have any security impact on the php packages shipped in Red Hat Enterprise Linux. The double free is impossible to trigger because the value of map is NULL at the time efree() is called. When using Zend Memory Manager by default that would result immediately in a Out of memory (OOM) Error.