| Summary: | php: Use-after-free in WDDX Packet Deserialization | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED WONTFIX | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | abhgupta, carnil, cbuissar, dmcphers, fedora, jialiu, jokerman, jorton, kseifried, lmeyer, mmaslano, mmccomas, rcollet, tiwillia, webstack-team |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | php 5.5.31, php 5.6.17 | Doc Type: | Bug Fix |
| Doc Text: |
A use-after-free flaw was found in the php_wddx_pop_element() function of PHP's WDDX extension. Unserializing specially crafted input could cause a PHP application to crash or, possibly, execute arbitrary code.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-02-03 13:02:52 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Bug Depends On: | 1297722 | ||
| Bug Blocks: | 1297732 | ||
Created php tracking bugs for this issue: Affects: fedora-all [bug 1297722] php-5.6.17-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. php-5.6.17-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. Lowering the impact down to moderate based on the following : * WDDX packet deserialization should not be used with untrusted source : http://php.net/manual/en/function.wddx-deserialize.php#refsect1-function.wddx-deserialize-returnvalues |
A use-after free vulnerability was found that could possible lead to arbitrary remote codeexecution. Vulnerable code: if (Z_TYPE_P(ent2->data) == IS_ARRAY || Z_TYPE_P(ent2->data) == IS_OBJECT) { target_hash = HASH_OF(ent2->data); if (ent1->varname) { if (!strcmp(ent1->varname, PHP_CLASS_NAME_VAR) && Z_TYPE_P(ent1->data) == IS_STRING && Z_STRLEN_P(ent1->data)) { ... /* Clean up old array entry */ zval_ptr_dtor(&ent2->data); /* Set stack entry to point to the newly created object */ ent2->data = obj; /* Clean up class name var entry */ zval_ptr_dtor(&ent1->data); During wddx packet deserialization the zval_ptr_dtor() lead ZVAL is freed from the memory, however a crafted recordset can still use already freed memory. Upstream patch: https://git.php.net/?p=php-src.git;a=commit;h=366f9505a4aae98ef2f4ca39a838f628a324b746 Upstream bug (contains reproducer): https://bugs.php.net/bug.php?id=70661