Bug 674699 (CVE-2011-0752)

Summary: CVE-2011-0752 php: extract() can overwrite $GLOBALS and $this when using EXTR_OVERWRITE
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jorton, wnefal+redhatbugzilla
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-02-28 18:02:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Vincent Danen 2011-02-02 23:27:23 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2011-0752 to
the following vulnerability:

Name: CVE-2011-0752
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0752
Assigned: 20110202
Reference: MLIST:[oss-security] 20101213 Re: Issues without CVE names in PHP 5.3.4/5.2.15 release
Reference: URL: http://www.openwall.com/lists/oss-security/2010/12/13/4
Reference: CONFIRM: http://www.php.net/ChangeLog-5.php
Reference: CONFIRM: http://www.php.net/archive/2010.php#id2010-12-10-1
Reference: CONFIRM: http://www.php.net/releases/5_2_15.php

The extract function in PHP before 5.2.15 does not prevent use of the
EXTR_OVERWRITE parameter to overwrite (1) the GLOBALS superglobal
array and (2) the this variable, which allows context-dependent
attackers to bypass intended access restrictions by modifying data
structures that were not intended to depend on external input, a
related issue to CVE-2005-2691 and CVE-2006-3758.


Upstream has indicated [1] that listing this under the security fixes in 5.2.15 was a mistake.  The 5.3.4 release that also fixes this bug lists it under "Core" [2], rather than under security fixes.

[1] http://www.openwall.com/lists/oss-security/2010/12/13/6
[2] http://www.php.net/ChangeLog-5.php#5.3.4
Comment 1 Vincent Danen 2011-02-02 23:36:40 UTC 
Upstream commit:

http://svn.php.net/viewvc/php/php-src/trunk/ext/standard/array.c?r1=305011&r2=305570

Doesn't look to affect PHP 5.1.x at all.
Comment 4 Tomas Hoger 2011-02-28 18:02:55 UTC 
Closing as not-a-security bug as explained in comment #2.

For posterity, this was fixed in php53 in RHEL-5 before these packages were added in 5.6 (bug #655330) and is planned to be fixed as non-security bug in php update in RHEL-6.1 (bug #655118).
Comment 5 Vincent Danen 2011-07-27 17:12:16 UTC 
Statement:

We do not consider this flaw to be a security issue as it is only exploitable by the script author. No trust boundary is crossed.

This issue did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 3, 4, or 5 (php). This issue was addressed in the php53 packages as shipped in Red Hat Enterprise Linux 5 before their first release in Red Hat Enterprise Linux 5.6, and it was addressed in the php package in Red Hat Enterprise Linux 6 via RHBA-2011:0615.