Bug 1471842 (CVE-2017-11147)

Summary: CVE-2017-11147 php: Out-of-bounds read in phar_parse_pharfile
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abhgupta, fedora, hhorak, jorton, kseifried, rcollet, sardella, tiwillia, webstack-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: php 5.6.30, php 7.0.15, php 7.1.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-31 14:10:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1554540    
Bug Blocks: 1471847    

Description Adam Mariš 2017-07-17 14:19:25 UTC 
In PHP before 5.6.30 and 7.x before 7.0.15, the PHAR archive handler
could be used by attackers supplying malicious archive files to crash
the PHP interpreter or potentially disclose information due to a buffer
over-read in the phar_parse_pharfile function in ext/phar/phar.c.

Upstream bug:

https://bugs.php.net/bug.php?id=73773

Upstream patch:

http://git.php.net/?p=php-src.git;a=commit;h=e5246580a85f031e1a3b8064edbaa55c1643a451
Comment 1 Raphael Sanchez Prudencio 2017-08-30 19:19:09 UTC 
For some reason, example_hostile.phar provided at php bug report does not trigger this vulnerability, but CVE-2016-10159.phar does. This vulnerability is exactly the same problem as in CVE-2016-10159, it was reported again because the fix was not enough and it was still vulnerable.
Comment 2 Remi Collet 2017-08-31 04:52:50 UTC 
About security issues in .phar file

.phar is an archive format designed to distribution application (code, mostly as .war for java)

The format also includes metadata which are stored as serialized strings (so which are affected by all serialized issues, including class leak and wakeup)

In the future, the PHP security team will not manage such issue as security

Serious applications will never allow upload of such file (for ex, I checked Wordpress and GLPI)
Comment 3 Raphael Sanchez Prudencio 2017-08-31 14:12:56 UTC 
Statement:

Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Comment 5 errata-xmlrpc 2018-05-03 05:07:47 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS

Via RHSA-2018:1296 https://access.redhat.com/errata/RHSA-2018:1296