Bug 1234940 (CVE-2015-4644)

Summary: CVE-2015-4644 php: NULL pointer dereference in php_pgsql_meta_data()
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: fedora, jorton, mmaslano, rcollet, webstack-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: php 5.4.42, php 5.5.26, php 5.6.10 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-21 08:39:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1234942    
Bug Blocks: 1234941    

Description Vasyl Kaigorodov 2015-06-23 14:31:47 UTC 
PHP versions 5.4.42, 5.5.26, and 5.6.10 provide a fix for segmentation fault in php_pgsql_meta_data():

Fixed bug #69667 (segfault in php_pgsql_meta_data).

Upstream bug:
https://bugs.php.net/bug.php?id=69667

Upstream fix:
http://git.php.net/?p=php-src.git;a=commitdiff;h=2cc4e69cc6d8dbc4b3568ad3dd583324a7c11d64

Not security bug upstream, but we found this when testing updates with fixes for CVE-2015-1352 (see bug 1185904).
Comment 1 Vasyl Kaigorodov 2015-06-23 14:36:02 UTC 
Created php tracking bugs for this issue:

Affects: fedora-all [bug 1234942]
Comment 2 Tomas Hoger 2015-07-21 08:39:27 UTC 
Unlike the CVE-2015-1352 issue, this also affected older PHP versions including PHP 5.3.3 as shipped with Red Hat Enterprise Linux.

This issue was already corrected in latest Red Hat Software Collections PHP packages updates:

https://rhn.redhat.com/errata/RHSA-2015-1187.html  rh-php56-php
https://rhn.redhat.com/errata/RHSA-2015-1186.html  php55-php
https://rhn.redhat.com/errata/RHSA-2015-1219.html  php54-php

As the impact of this issue is limited to PHP interpreter crash, and it is triggered by a crafted database table name when using pgsql extension, this issue was rated as having Low security impact and is not planned to be corrected in future php packages updated in Red Hat Enterprise Linux 6 and 7, and php53 packages in Red Hat Enterprise Linux 5.  The php packages in Red Hat Enterprise Linux 5 were not affected by this issue.

This bug can only be an issue if PHP application uses untrusted input from remote user as database table name.  This is unlikely, and is likely to have worse impact by itself (e.g. it may lead to SQL injection attacks).  It is assume that table names (but also column names) used in SQL queries are from trusted source.

Statement:

Red Hat Product Security has rated this issue as having Low security impact. This issue is not planned to be corrected in future updates for php packages in Red Hat Enterprise Linux 6 and 7, and php53 packages in Red Hat Enterprise Linux 5. The php packages in Red Hat Enterprise Linux 5 were not affected by this issue.