A use-after free vulnerability was found that could possible lead to arbitrary remote codeexecution. Vulnerable code: if (Z_TYPE_P(ent2->data) == IS_ARRAY || Z_TYPE_P(ent2->data) == IS_OBJECT) { target_hash = HASH_OF(ent2->data); if (ent1->varname) { if (!strcmp(ent1->varname, PHP_CLASS_NAME_VAR) && Z_TYPE_P(ent1->data) == IS_STRING && Z_STRLEN_P(ent1->data)) { ... /* Clean up old array entry */ zval_ptr_dtor(&ent2->data); /* Set stack entry to point to the newly created object */ ent2->data = obj; /* Clean up class name var entry */ zval_ptr_dtor(&ent1->data); During wddx packet deserialization the zval_ptr_dtor() lead ZVAL is freed from the memory, however a crafted recordset can still use already freed memory. Upstream patch: https://git.php.net/?p=php-src.git;a=commit;h=366f9505a4aae98ef2f4ca39a838f628a324b746 Upstream bug (contains reproducer): https://bugs.php.net/bug.php?id=70661
Created php tracking bugs for this issue: Affects: fedora-all [bug 1297722]
php-5.6.17-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
php-5.6.17-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Lowering the impact down to moderate based on the following : * WDDX packet deserialization should not be used with untrusted source : http://php.net/manual/en/function.wddx-deserialize.php#refsect1-function.wddx-deserialize-returnvalues