Bug 1336784 (CVE-2015-4116)

Summary: CVE-2015-4116 php: Use-after-free vulnerability in the spl_ptr_heap_insert function
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: abhgupta, dmcphers, fedora, jialiu, jokerman, jorton, kseifried, lmeyer, mmaslano, mmccomas, rcollet, tiwillia, webstack-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: php 5.5.27, php 5.6.11 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-19 15:05:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1336786    

Description Andrej Nemec 2016-05-17 12:46:30 UTC 
Use-after-free vulnerability in the spl_ptr_heap_insert function in
ext/spl/spl_heap.c in PHP before 5.5.27 and 5.6.x before 5.6.11 allows
remote attackers to execute arbitrary code by triggering a failed
SplMinHeap::compare operation.


Upstream bugs:

https://bugs.php.net/bug.php?id=69737
https://bugs.php.net/bug.php?id=69721

Upstream fix:

http://git.php.net/?p=php-src.git;a=commit;h=1cbd25ca15383394ffa9ee8601c5de4c0f2f90e1
Comment 1 Tomas Hoger 2016-05-19 15:05:27 UTC 
This flaw is triggered by a fatal error generated in SplMinHeap::compare.  To achieve that reporters created a PHP script which overrides compare method with a custom one that throws such error.  Triggering this without a malicious script is unlikely.  Upstream did not consider this to be a security issue - type of both upstream bug was changed form Security to Bug.  Reporters also assume local attack vector, which implies malicious script author.  PHP has never been safe against malicious scripts, and removal of the safe mode feature in PHP 5.4 acknowledges that:

http://php.net/manual/en/features.safe-mode.php

There is no plan to address this in Red Hat products.