Hide Forgot
A vulnerability in PHP was reported whereby the Heap header gets misaligned resulting in the corruption of the heap chunk's metadata. A heap chunk is allocated in ext/phar/tar.c:167 metadata = (char *) safe_emalloc(1, entry->uncompressed_filesize, 1); A reference to this heap chunk is passed into phar_parse_metadata() at ext/phar/tar.c:176 if (phar_parse_metadata(&metadata, &entry->metadata, entry->uncompressed_filesize TSRMLS_CC) == FAILURE) { The following gets called within phar_parse_metadata:611 when zip_metadata_len==0 PHAR_GET_32(*buffer, buf_len); This moves the pointer referencing the heap chunk by 4 bytes. When the heap chunk gets freeed at at tar.c:177: efree(metadata); The heap chunk is now misaligned by 4 bytes. In other words: ZEND_MM_HEADER_OF(metadata).info._size is now ZEND_MM_HEADER_OF(metadata).info._prev and ZEND_MM_HEADER_OF(metadata).info._prev is tainted with the body's data. Upstream bug: https://bugs.php.net/bug.php?id=69443 Upstream patch: http://git.php.net/?p=php-src.git;a=commitdiff;h=17cbd0b5b78a7500f185b3781a2149881bfff8ae This patch was for CVE-2015-2783 (bug 1213446), but it inadvertently resolved this vulnerability as well. The vulnerable line that was removed was on ext/phar/phar.c:611 PHAR_GET_32(*buffer, buf_len);
Original report: http://seclists.org/oss-sec/2015/q2/477
The PHP packages as shipped as part of the php54 collection in Red Hat Software Collections were updated to fixed upstream version 5.4.40 via RHSA-2015:1066 released as part of Red Hat Software Collections 2.0. This issue has been addressed in the php54-php packages in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.5 EUS Via RHSA-2015:1066 https://rhn.redhat.com/errata/RHSA-2015-1066.html
Why is it that there is no information on the CVE page as to which PHP versions are affected?? This is frustrating!!! :( Can someone please help out the customers and update the page? https://access.redhat.com/security/cve/CVE-2015-3307
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:1135 https://rhn.redhat.com/errata/RHSA-2015-1135.html
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS Via RHSA-2015:1186 https://rhn.redhat.com/errata/RHSA-2015-1186.html
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS Via RHSA-2015:1187 https://rhn.redhat.com/errata/RHSA-2015-1187.html
Statement: This issue affected all versions of PHP shipped in various Red Hat products, except version PHP 5.1.x that is shipped with Red Hat Enterprise Linux 5.
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2015:1218 https://rhn.redhat.com/errata/RHSA-2015-1218.html