Bug 1207682 (CVE-2015-2348)
| Summary: | CVE-2015-2348 php: move_uploaded_file() NUL byte injection in file name | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Vasyl Kaigorodov <vkaigoro> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | bleanhar, ccoleman, dmcphers, fedora, jdetiber, jialiu, jkeck, jokerman, jorton, jrusnack, kseifried, lmeyer, mmaslano, mmccomas, rcollet, webstack-team |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | PHP 5.4.39, PHP 5.5.23, PHP 5.6.7 | Doc Type: | Bug Fix |
| Doc Text: |
It was found that PHP move_uploaded_file() function did not properly handle file names with a NULL character. A remote attacker could possibly use this flaw to make a PHP script access unexpected files and bypass intended file system access restrictions.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-07-09 21:46:28 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1204765, 1204766, 1207702, 1209880, 1209884, 1209887 | ||
| Bug Blocks: | 1207679, 1210213 | ||
|
Description
Vasyl Kaigorodov
2015-03-31 13:19:30 UTC
Created php tracking bugs for this issue: Affects: fedora-all [bug 1207702] PHP 5.3.3 in RHEL is not affected,
as already fixed by php-5.3.3-CVE-2006-7243.patch
@@ -5811,6 +5834,14 @@ PHP_FUNCTION(move_uploaded_file)
RETURN_FALSE;
}
+ if (strlen(path) != path_len) {
+ RETURN_FALSE;
+ }
+
+ if (strlen(new_path) != new_path_len) {
+ RETURN_FALSE;
+ }
+
VCWD_UNLINK(new_path);
if (VCWD_RENAME(path, new_path) == 0) {
successful = 1;
So only affects PHP 5.4+
Notice, the check for 'path' is not need as already checked by zend_hash_exists.
So upstream patch use "p" only for 'new_path'
Ok, thank you for pointing this out. So rather than this being an incomplete CVE-2006-7243 fix issue, it's more of a 5.4+ regression of part of the CVE-2006-7243 fix. Similar to CVE-2014-5120, and likely with similar cause to what's described in bug 1132793 comment 7 and bug 1132793 comment 8. The fix noted in comment 8 above is used in php and php53 packages in Red Hat Enterprise Linux 5 and 6, hence those are not affected by this issue. The php packages in Red Hat Enterprise Linux 7 and Red Hat Software Collections 1 are based on upstream 5.4 or 5.5 and are therefore affected. Statement: This issue does not affect the current php and php53 packages in Red Hat Enterprise Linux 5 and 6, as it was previously corrected as part of the fix for CVE-2006-7243. This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.5 EUS Via RHSA-2015:1066 https://rhn.redhat.com/errata/RHSA-2015-1066.html This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.5 EUS Via RHSA-2015:1053 https://rhn.redhat.com/errata/RHSA-2015-1053.html This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:1135 https://rhn.redhat.com/errata/RHSA-2015-1135.html |