Bug 1223441 (CVE-2015-3307)

Summary: CVE-2015-3307 php: invalid pointer free() in phar_tar_process_metadata()
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: angelo.alvarez, bleanhar, ccoleman, dmcphers, fedora, jdetiber, jialiu, jkeck, jliggitt, jokerman, jorton, kseifried, lmeyer, mmaslano, mmccomas, rcollet, webstack-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: php 5.4.40, php 5.5.24, php 5.6.8 Doc Type: Bug Fix
Doc Text:
An invalid free flaw was found in the way PHP's Phar extension parsed Phar archives. A specially crafted archive could cause PHP to crash or, possibly, execute arbitrary code when opened.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-09 21:34:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1228052, 1228053, 1228070, 1228071, 1228072, 1228073, 1228074, 1228075, 1228076, 1228077    
Bug Blocks: 1213462    

Description Vasyl Kaigorodov 2015-05-20 14:00:46 UTC 
A vulnerability in PHP was reported whereby the Heap header gets misaligned resulting in the corruption of the heap chunk's metadata.

A heap chunk is allocated in ext/phar/tar.c:167

   metadata = (char *) safe_emalloc(1, entry->uncompressed_filesize, 1);

A reference to this heap chunk is passed into phar_parse_metadata() at ext/phar/tar.c:176

   if (phar_parse_metadata(&metadata, &entry->metadata, entry->uncompressed_filesize TSRMLS_CC) == FAILURE) {

The following gets called within phar_parse_metadata:611 when zip_metadata_len==0

   PHAR_GET_32(*buffer, buf_len);

This moves the pointer referencing the heap chunk by 4 bytes.

When the heap chunk gets freeed at at tar.c:177:

   efree(metadata);

The heap chunk is now misaligned by 4 bytes. In other words: ZEND_MM_HEADER_OF(metadata).info._size is now
ZEND_MM_HEADER_OF(metadata).info._prev and ZEND_MM_HEADER_OF(metadata).info._prev is tainted with the body's data.

Upstream bug:
https://bugs.php.net/bug.php?id=69443

Upstream patch:
http://git.php.net/?p=php-src.git;a=commitdiff;h=17cbd0b5b78a7500f185b3781a2149881bfff8ae

This patch was for CVE-2015-2783 (bug 1213446), but it inadvertently resolved this vulnerability as well. The vulnerable line that was removed was on ext/phar/phar.c:611

  PHAR_GET_32(*buffer, buf_len);
Comment 1 Vasyl Kaigorodov 2015-05-20 14:02:15 UTC 
Original report: http://seclists.org/oss-sec/2015/q2/477
Comment 7 Tomas Hoger 2015-06-05 14:48:10 UTC 
The PHP packages as shipped as part of the php54 collection in Red Hat Software Collections were updated to fixed upstream version 5.4.40 via RHSA-2015:1066 released as part of Red Hat Software Collections 2.0.


This issue has been addressed in the php54-php packages in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.5 EUS

Via RHSA-2015:1066 https://rhn.redhat.com/errata/RHSA-2015-1066.html
Comment 8 Angelo Alvarez 2015-06-11 00:56:43 UTC 
Why is it that there is no information on the CVE page as to which PHP versions are affected??  This is frustrating!!! :(  Can someone please help out the customers and update the page?
https://access.redhat.com/security/cve/CVE-2015-3307
Comment 9 errata-xmlrpc 2015-06-23 08:13:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:1135 https://rhn.redhat.com/errata/RHSA-2015-1135.html
Comment 10 errata-xmlrpc 2015-06-25 08:32:46 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS

Via RHSA-2015:1186 https://rhn.redhat.com/errata/RHSA-2015-1186.html
Comment 11 errata-xmlrpc 2015-06-25 08:44:05 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS

Via RHSA-2015:1187 https://rhn.redhat.com/errata/RHSA-2015-1187.html
Comment 12 Martin Prpič 2015-06-29 09:43:01 UTC 
Statement:

This issue affected all versions of PHP shipped in various Red Hat products, except version PHP 5.1.x that is shipped with Red Hat Enterprise Linux 5.
Comment 13 errata-xmlrpc 2015-07-09 17:08:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:1218 https://rhn.redhat.com/errata/RHSA-2015-1218.html