Bug 1222538 (CVE-2015-4599, CVE-2015-4600, CVE-2015-4601) - CVE-2015-4599 CVE-2015-4600 CVE-2015-4601 php: type confusion issue in unserialize() with various SOAP methods
Summary: CVE-2015-4599 CVE-2015-4600 CVE-2015-4601 php: type confusion issue in unseri...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-4599, CVE-2015-4600, CVE-2015-4601
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20150416,repor...
Depends On: 1228052 1228053 1228070 1228071 1228072 1228073
Blocks: 1213462
TreeView+ depends on / blocked
 
Reported: 2015-05-18 13:14 UTC by Vasyl Kaigorodov
Modified: 2019-06-08 20:35 UTC (History)
16 users (show)

Fixed In Version: php 5.4.40, php 5.5.24, php 5.6.8
Doc Type: Bug Fix
Doc Text:
Multiple flaws were discovered in the way PHP's Soap extension performed object unserialization. Specially crafted input processed by the unserialize() function could cause a PHP application to disclose portion of its memory or crash.
Clone Of:
Environment:
Last Closed: 2015-07-09 21:36:46 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1135 normal SHIPPED_LIVE Important: php security and bug fix update 2015-06-23 12:11:40 UTC
Red Hat Product Errata RHSA-2015:1218 normal SHIPPED_LIVE Moderate: php security update 2015-07-09 21:01:41 UTC

Description Vasyl Kaigorodov 2015-05-18 13:14:42 UTC
PHP versions 5.4.40, 5.5.24, and 5.6.8 provide a fix for type confusion vulnerability in unserialize() function used on a various SOAP methods.

Copy-paste description of the issue from the upstream bug:
"""
PHP_METHOD(SoapFault, __toString)
{
...
  faultcode   = zend_read_property(soap_fault_class_entry, this_ptr, "faultcode", sizeof("faultcode")-1, 1 TSRMLS_CC);
  faultstring = zend_read_property(soap_fault_class_entry, this_ptr, "faultstring", sizeof("faultstring")-1, 1 TSRMLS_CC);
  file = zend_read_property(soap_fault_class_entry, this_ptr, "file", sizeof("file")-1, 1 TSRMLS_CC);
  line = zend_read_property(soap_fault_class_entry, this_ptr, "line", sizeof("line")-1, 1 TSRMLS_CC);
...
  len = spprintf(&str, 0, "SoapFault exception: [%s] %s in %s:%ld\nStack trace:\n%s",
                 Z_STRVAL_P(faultcode), Z_STRVAL_P(faultstring), Z_STRVAL_P(file), Z_LVAL_P(line),
                 Z_STRLEN_P(trace) ? Z_STRVAL_P(trace) : "#0 {main}\n");

  zval_ptr_dtor(&trace);

  RETURN_STRINGL(str, len, 0);
}

The Z_STRVAL_P macro lead to looking up an arbitrary valid memory address, and return a string via a integer-type zval that start from this memory address.
If the memory address is an invalid memory position, it should result in a crash.
The Z_LVAL_P macro lead to leaking memory address via a string-type zval that string value stored.

The following code should leak arbitrary memory or crash PHP:

<?php

$data = 'O:9:"SoapFault":4:{s:9:"faultcode";i:4298448493;s:11:"faultstring";i:4298448543;s:7:"'."\0*\0".'file";i:4298447319;s:7:"'."\0*\0".'line";s:4:"ryat";}';
echo unserialize($data);

?>

Result (Test on standard MacOSX 10.10.2 installation of PHP 5.6.6.):

SoapFault exception: [UH??AWAVSPI??I??H????
 in UH??AWAVAUATSH???:4307253992           ] UH??SPD???*?????t"H?
Stack trace:
#0 test.php(4): unserialize('O:9:"SoapFault"...')
#1 {main}
"""

Upstream bug:
https://bugs.php.net/bug.php?id=69152

Upstream commits:
http://git.php.net/?p=php-src.git;a=commitdiff;h=0c136a2abd49298b66acb0cad504f0f972f5bfe8
http://git.php.net/?p=php-src.git;a=commitdiff;h=51856a76f87ecb24fe1385342be43610fb6c86e4
http://git.php.net/?p=php-src.git;a=commitdiff;h=fb83c76deec58f1fab17c350f04c9f042e5977d1

Comment 6 Tomas Hoger 2015-06-05 15:54:11 UTC
In addition to commits mentioned in comment 0, there is additional commit:

http://git.php.net/?p=php-src.git;a=commitdiff;h=a894a8155fab068d68a04bf181dbaddfa01ccbb0

to address the issue mentioned in the following comment of the upstream bug:

https://bugs.php.net/bug.php?id=69152#1427277435

Comment 7 Tomas Hoger 2015-06-17 19:34:08 UTC
Multiple CVEs were assigned for the fixes mentioned in the bug, see:
http://seclists.org/oss-sec/2015/q2/727


CVE-2015-4599 was assigned for the original SoapFault::__toString issue reported in the upstream bug:

https://bugs.php.net/bug.php?id=69152#1425215948

and corrected in:

http://git.php.net/?p=php-src.git;a=commitdiff;h=51856a76f87ecb24fe1385342be43610fb6c86e4


CVE-2015-4600 was assigned for the SoapClient::__getLastRequest, SoapClient::__getLastResponse, SoapClient::__getLastRequestHeaders, SoapClient::__getLastResponseHeaders, SoapClient::__getCookies, and SoapClient::__setCookie issue described in the following comments of the upstream bug:

https://bugs.php.net/bug.php?id=69152#1425271419
https://bugs.php.net/bug.php?id=69152#1425271913

and corrected in:

http://git.php.net/?p=php-src.git;a=commitdiff;h=0c136a2abd49298b66acb0cad504f0f972f5bfe8


CVE-2015-4601 was assigned for the other fixes applied as part of upstream commit 0c136a2a.


CVE-2015-4602 was assigned for the incomplete class type confusion issue reported in:

https://bugs.php.net/bug.php?id=69152#1426863482

and corrected in:

http://git.php.net/?p=php-src.git;a=commitdiff;h=fb83c76deec58f1fab17c350f04c9f042e5977d1


CVE-2015-4603 was assigned for the exception::getTraceAsString() issue reported in:

https://bugs.php.net/bug.php?id=69152#1425357025

and corrected in:

http://git.php.net/?p=php-src.git;a=commitdiff;h=a894a8155fab068d68a04bf181dbaddfa01ccbb0

Comment 8 Tomas Hoger 2015-06-17 19:41:10 UTC
CVE-2015-4599, CVE-2015-4600, and CVE-2015-4601 issues were already corrected in Red Hat Software Collections updates in 2.0:

php54:  https://rhn.redhat.com/errata/RHSA-2015-1066.html
php55:  https://rhn.redhat.com/errata/RHSA-2015-1053.html

as part of the fixes for CVE-2015-4147 (bug 1204868) / CVE-2015-4148 (bug 1226916).

The rh-php56 collection packages introduced via RHEA-2015:1057 had these issues corrected since the initial release:

rh-php56:  https://rhn.redhat.com/errata/RHEA-2015-1057.html

Comment 9 errata-xmlrpc 2015-06-23 08:13:15 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:1135 https://rhn.redhat.com/errata/RHSA-2015-1135.html

Comment 10 errata-xmlrpc 2015-07-09 17:07:51 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:1218 https://rhn.redhat.com/errata/RHSA-2015-1218.html


Note You need to log in before you can comment on or make changes to this bug.