Bug 1416499 (CVE-2016-7480)

Summary: CVE-2016-7480 php: Use of uninitialized value in SplObjectStorag::unserialize
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abhgupta, fedora, hhorak, jorton, kseifried, rcollet, sardella, tiwillia, webstack-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: php 7.0.12 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-01-25 16:10:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Adam Mariš 2017-01-25 16:05:54 UTC 
The SplObjectStorage unserialize implementation in ext/spl/spl_observer.c in PHP before 7.0.12 does not verify that a key is an object, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access) via crafted serialized data.

Upstream bug:

https://bugs.php.net/bug.php?id=73257

Upstream patch:

https://github.com/php/php-src/commit/61cdd1255d5b9c8453be71aacbbf682796ac77d4

External References:

http://blog.checkpoint.com/2016/12/27/check-point-discovers-three-zero-day-vulnerabilities-web-programming-language-php-7/
Comment 1 Adam Mariš 2017-01-25 16:10:35 UTC 
This issue happens when untrusted input is being unserialized which is documented as being insecure. Unserialization can result in code being loaded and executed due to object instantiation and autoloading, and a malicious user may be able to exploit this. Consider using safe, standard data interchange  format such as JSON.