Bug 598537 (CVE-2010-2094, MOPS-2010-025, MOPS-2010-026, MOPS-2010-027, MOPS-2010-028)

Summary: CVE-2010-2094 php: Multiple format string flaws in the phar extension (MOPS-2010-025 MOPS-2010-026 MOPS-2010-027 MOPS-2010-028)
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jorton, vdanen
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: php 5.3.3 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-25 09:57:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 624469    
Bug Blocks:    

Description Jan Lieskovsky 2010-06-01 15:21:44 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-2094 to
the following vulnerability:

Multiple format string vulnerabilities in the phar extension in PHP
5.3 before 5.3.2 allow context-dependent attackers to obtain sensitive
information (memory contents) and possibly execute arbitrary code via
a crafted phar:// URI that is not properly handled by the (1)
phar_stream_flush, (2) phar_wrapper_unlink, (3) phar_parse_url, or (4)
phar_wrapper_open_url functions in ext/phar/stream.c; and the (5)
phar_wrapper_open_dir function in ext/phar/dirstream.c, which triggers
errors in the php_stream_wrapper_log_error function.

References:
  [1] http://php-security.org/2010/05/14/mops-2010-024-php-phar_stream_flush-format-string-vulnerability/index.html
  [2] http://php-security.org/2010/05/14/mops-2010-025-php-phar_wrapper_open_dir-format-string-vulnerability/index.html
  [3] http://php-security.org/2010/05/14/mops-2010-026-php-phar_wrapper_unlink-format-string-vulnerability/index.html
  [4] http://php-security.org/2010/05/14/mops-2010-027-php-phar_parse_url-format-string-vulnerabilities/index.html
  [5] http://php-security.org/2010/05/14/mops-2010-028-php-phar_wrapper_open_url-format-string-vulnerabilities/index.html

Public PoC (from [1]):

$ php -r "fopen('phar:///usr/bin/phar.phar/*%08x-%08x-%08x-%08x-%08x-%08x-%08x-%08x-%08x','r');"

Credit: All flaws discovered by Stefan Esser.

Comment 4 Tomas Hoger 2010-06-28 09:53:49 UTC
Upstream commit (seems to pre-date MOPS advisories publication by 2+ weeks, but credits Stefan Esser):
  http://svn.php.net/viewvc?view=revision&revision=298667

This upstream commit does not fix phar_stream_flush() case mentioned in MOPS-2010-024.

Comment 5 Tomas Hoger 2010-06-28 10:18:37 UTC
Affected code only exists in PHP 5.3 and later.

Statement:

Not vulnerable. This issue did not affect the versions of php as shipped with Red Hat Enterprise Linux 3, 4, or 5, and Red Hat Application Stack v2.

Comment 7 Tomas Hoger 2010-08-23 07:12:49 UTC
(In reply to comment #4)
>   http://svn.php.net/viewvc?view=revision&revision=298667
> 
> This upstream commit does not fix phar_stream_flush() case mentioned in
> MOPS-2010-024.

Fixed now in:
  http://svn.php.net/viewvc?view=revision&revision=302565

Comment 8 Tomas Hoger 2010-08-25 15:35:59 UTC
(In reply to comment #7)
> (In reply to comment #4)
> >   http://svn.php.net/viewvc?view=revision&revision=298667
> > 
> > This upstream commit does not fix phar_stream_flush() case mentioned in
> > MOPS-2010-024.
> 
> Fixed now in:
>   http://svn.php.net/viewvc?view=revision&revision=302565

This got CVE-2010-2950.

Comment 9 Vincent Danen 2010-12-10 21:08:34 UTC
This is fixed in upstream 5.3.4 now.

Comment 14 Huzaifa S. Sidhpurwala 2012-06-25 09:55:29 UTC
Removing CVE-2010-2950 from this bug and filing it separately as bug 835024