Bug 1194747 (CVE-2015-2301)

Summary: CVE-2015-2301 php: use after free in phar_object.c
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bleanhar, bressers, briang, carnil, ccoleman, cgr, dmcphers, fedora, jdetiber, jialiu, jkeck, jokerman, jorton, kanderso, kseifried, lmeyer, mmaslano, mmccomas, rcollet, webstack-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20150124,reported=20150220,source=internet,cvss2=2.6/AV:N/AC:H/Au:N/C:P/I:N/A:N,cwe=CWE-416,rhel-5/php=notaffected,rhel-5/php53=wontfix,rhel-6/php=affected,rhel-7/php=affected,rhscl-1/php54-php=affected,rhscl-1/php55-php=affected,rhscl-2/rh-php56-php=notaffected,fedora-all/php=affected
Fixed In Version: php 5.5.22, php 5.6.6 Doc Type: Bug Fix
Doc Text:
A use-after-free flaw was found in PHP's phar (PHP Archive) paths implementation. A malicious script author could possibly use this flaw to disclose certain portions of server memory.
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-09 21:45:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1204762, 1204763, 1204765, 1204766, 1209880, 1209884, 1209887    
Bug Blocks: 1194715, 1210213    

Description Vasyl Kaigorodov 2015-02-20 16:43:42 UTC
Use after free vulnerability reported in PHP "phar" extension [1].
Upstream commit that fixes this:
http://git.php.net/?p=php-src.git;a=commit;h=b2cf3f064b8f5efef89bb084521b61318c71781b

[1]: https://bugs.php.net/bug.php?id=68901

Comment 1 Francisco Alonso 2015-03-10 14:33:47 UTC
Fixed upstream in PHP 5.6.6 and 5.5.22:

http://php.net/ChangeLog-5.php#5.6.6
http://php.net/ChangeLog-5.php#5.5.22

Comment 7 Carl Riches 2015-05-04 19:46:18 UTC
Can you provide an update on the status of this bug?  The NIST NVD shows a higher vuln score than your whiteboard comments show (above).  This is the NIST rating:

 Original release date: 03/30/2015
Last revised: 04/13/2015
Source: US-CERT/NIST

CVSS Severity (version 2.0):
  CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) (legend)
  Impact Subscore: 6.4
  Exploitability Subscore: 10.0
CVSS Version 2 Metrics:
  Access Vector: Network exploitable
  Access Complexity: Low
  Authentication: Not required to exploit
  Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service

Thanks.

Comment 8 errata-xmlrpc 2015-06-04 08:04:05 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.5 EUS

Via RHSA-2015:1066 https://rhn.redhat.com/errata/RHSA-2015-1066.html

Comment 9 errata-xmlrpc 2015-06-04 08:07:26 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.5 EUS

Via RHSA-2015:1053 https://rhn.redhat.com/errata/RHSA-2015-1053.html

Comment 10 errata-xmlrpc 2015-06-23 08:12:15 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:1135 https://rhn.redhat.com/errata/RHSA-2015-1135.html

Comment 11 errata-xmlrpc 2015-07-09 17:07:10 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:1218 https://rhn.redhat.com/errata/RHSA-2015-1218.html