Bug 1868109 (CVE-2020-7068)
Summary: | CVE-2020-7068 php: Use of freed hash key in the phar_parse_zipfile function | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Michael Kaplan <mkaplan> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | bnater, fedora, hhorak, icesalov, jlyle, jorton, rcollet, surpatil, tcullum |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | php 7.2.33, php 7.3.21, php 7.4.9 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2021-08-03 13:06:55 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1868110, 1869773, 1869774, 1869775, 1869776, 1869777, 1869796, 1977765 | ||
Bug Blocks: | 1868111 |
Description
Michael Kaplan
2020-08-11 17:30:40 UTC
Created php tracking bugs for this issue: Affects: fedora-all [bug 1868110] Flaw summary: The flaw is in phar_parse_zipfile() of ext/phar/zip.c. When processing a PHP archive file (phar), if a persistent entry is used as defined in php.ini, then memory pointed to by the actual_alias pointer is freed. Directly after the free, the actual_alias pointer is passed to zend_hash_str_add_ptr, where it is dereferenced. Prior to the function call, a copy of the memory pointed to by actual_alias is duplicated and assigned to the mydata->alias pointer. The patch simply uses the unfreed mydata->alias pointer as an argument to the zend_hash_add_str() call rather than the freed memory pointed to by actual_alias. To trigger this flaw, an attacker needs to place a specially crafted file on the server's filesystem and then load it with PHP. The attacker also needs a setting to be present in PHP's configuration file. Due to this, the attack complexity is high as an attacker would need to find other flaws or already have admin access to the server machine to do this. in php 5.4 (RHEL7), it's in ext/phar/zip.c ~ line 687: mydata->alias = entry.is_persistent ? pestrndup(actual_alias, mydata->alias_len, 1) : actual_alias; if (entry.is_persistent) { efree(actual_alias); } zend_hash_add(&(PHAR_GLOBALS->phar_alias_map), actual_alias, mydata->alias_len, (void*)&mydata, sizeof(phar_archive_data*), NULL); In this ver, the function is called zend_hash_add instead of zend_hash_str_add. This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:2992 https://access.redhat.com/errata/RHSA-2021:2992 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-7068 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4213 https://access.redhat.com/errata/RHSA-2021:4213 |