Bug 1207676 – CVE-2015-2787 php: use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1207676 - (CVE-2015-2787) CVE-2015-2787 php: use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re

Summary:	CVE-2015-2787 php: use-after-free vulnerability in the process_nested_data fu...

Status:	CLOSED ERRATA

Aliases:	CVE-2015-2787

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20150302,repor...
Keywords:	Security

Depends On:	1204762 1204763 1204765 1204766 1207678 1209880 1209884 1209887
Blocks:	1207679 1210213
	Show dependency tree / graph

Reported:	2015-03-31 09:16 EDT by Vasyl Kaigorodov
Modified:	2015-11-25 05:31 EST (History)
CC List:	17 users (show)

See Also:
Fixed In Version:	PHP 5.4.39, PHP 5.5.23, PHP 5.6.7
Doc Type:	Bug Fix
Doc Text:	A flaws was discovered in the way PHP performed object unserialization. Specially crafted input processed by the unserialize() function could cause a PHP application to crash or, possibly, execute arbitrary code.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2015-07-09 17:46:10 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
PHP Bug Tracker	68976	None	None	None	Never
Red Hat Product Errata	RHSA-2015:1053	normal	SHIPPED_LIVE	Moderate: php55 security and bug fix update	2015-06-04 08:06:06 EDT
Red Hat Product Errata	RHSA-2015:1066	normal	SHIPPED_LIVE	Important: php54 security and bug fix update	2015-06-05 11:42:20 EDT
Red Hat Product Errata	RHSA-2015:1135	normal	SHIPPED_LIVE	Important: php security and bug fix update	2015-06-23 08:11:40 EDT
Red Hat Product Errata	RHSA-2015:1218	normal	SHIPPED_LIVE	Moderate: php security update	2015-07-09 17:01:41 EDT

Groups: None (edit)

Description Vasyl Kaigorodov 2015-03-31 09:16:17 EDT

Common Vulnerabilities and Exposures assigned an identifier CVE-2015-2787 to
the following vulnerability:

Name: CVE-2015-2787
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2787
Assigned: 20150329
Reference: https://gist.github.com/smalyshev/eea9eafc7c88a4a6d10d

Use-after-free vulnerability in the process_nested_data function in
ext/standard/var_unserializer.re in PHP before 5.4.39, 5.5.x before
5.5.23, and 5.6.x before 5.6.7 allows remote attackers to execute
arbitrary code via a crafted unserialize call that leverages use of
the unset function within an __wakeup function, a related issue to
CVE-2015-0231.

Comment 1 Vasyl Kaigorodov 2015-03-31 09:17:10 EDT

Created php tracking bugs for this issue:

Affects: fedora-all [bug 1207678]

Comment 2 Tomas Hoger 2015-04-02 08:03:32 EDT

Upstream bug:
https://bugs.php.net/bug.php?id=68976

Upstream commits:
http://git.php.net/?p=php-src.git;a=commitdiff;h=780222f97f47644a6a118ada86a269a96a1e8134
http://git.php.net/?p=php-src.git;a=commitdiff;h=d76b293ac71aa5bd4e9a433192afef6e0dd5a4ee

Comment 8 Remi Collet 2015-04-10 04:06:22 EDT

Commit in PHP 5.4

Fix: http://git.php.net/?p=php-src.git;a=commit;h=646572d6d3847d68124b03936719f60936b49a38

Test: http://git.php.net/?p=php-src.git;a=commit;h=8b14d3052ffcffa17d6e2be652f20e18f8f562ad

Comment 9 Carl Riches 2015-05-04 15:59:24 EDT

Can you provide an update on the status of this bug?  The NIST NVD shows a higher vuln score than your whiteboard comments show (above).  This is the NIST rating:

 Original release date: 03/30/2015
Last revised: 04/13/2015
Source: US-CERT/NIST 

CVSS Severity (version 2.0):
  CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P)
  Impact Subscore: 6.4
  Exploitability Subscore: 10.0
CVSS Version 2 Metrics:
  Access Vector: Network exploitable
  Access Complexity: Low
  Authentication: Not required to exploit
  Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service 

(from https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2787)

They have placed the severity of this vuln at a higher level than shown in your whiteboard comments (above).

Thanks.

Comment 10 errata-xmlrpc 2015-06-04 04:04:19 EDT

This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.5 EUS

Via RHSA-2015:1066 https://rhn.redhat.com/errata/RHSA-2015-1066.html

Comment 11 errata-xmlrpc 2015-06-04 04:07:42 EDT

This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.5 EUS

Via RHSA-2015:1053 https://rhn.redhat.com/errata/RHSA-2015-1053.html

Comment 12 errata-xmlrpc 2015-06-23 04:12:40 EDT

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:1135 https://rhn.redhat.com/errata/RHSA-2015-1135.html

Comment 13 errata-xmlrpc 2015-07-09 13:07:32 EDT

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:1218 https://rhn.redhat.com/errata/RHSA-2015-1218.html

Note You need to log in before you can comment on or make changes to this bug.