First Last Prev Next    This bug is not in your last search results.
Bug 1297720 - php: Use-after-free in WDDX Packet Deserialization
php: Use-after-free in WDDX Packet Deserialization
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20151007,repor...
: Security
Depends On: 1297722
Blocks: 1297732
  Show dependency treegraph
 
Reported: 2016-01-12 05:17 EST by Adam Mariš
Modified: 2016-03-15 07:31 EDT (History)
15 users (show)

See Also:
Fixed In Version: php 5.5.31, php 5.6.17
Doc Type: Bug Fix
Doc Text:
A use-after-free flaw was found in the php_wddx_pop_element() function of PHP's WDDX extension. Unserializing specially crafted input could cause a PHP application to crash or, possibly, execute arbitrary code.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-02-03 08:02:52 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Adam Mariš 2016-01-12 05:17:14 EST 
A use-after free vulnerability was found that could possible lead to arbitrary remote codeexecution. Vulnerable code:

if (Z_TYPE_P(ent2->data) == IS_ARRAY || Z_TYPE_P(ent2->data) == IS_OBJECT) {
	target_hash = HASH_OF(ent2->data);
	if (ent1->varname) {
		if (!strcmp(ent1->varname, PHP_CLASS_NAME_VAR) &&
			Z_TYPE_P(ent1->data) == IS_STRING && Z_STRLEN_P(ent1->data)) {
			...
			/* Clean up old array entry */
			zval_ptr_dtor(&ent2->data);
				
			/* Set stack entry to point to the newly created object */
			ent2->data = obj;
					
			/* Clean up class name var entry */
			zval_ptr_dtor(&ent1->data);

During wddx packet deserialization the zval_ptr_dtor() lead ZVAL is freed from the memory, however a crafted recordset can still use already freed memory.

Upstream patch:

https://git.php.net/?p=php-src.git;a=commit;h=366f9505a4aae98ef2f4ca39a838f628a324b746

Upstream bug (contains reproducer):

https://bugs.php.net/bug.php?id=70661
Comment 1 Adam Mariš 2016-01-12 05:18:09 EST 
Created php tracking bugs for this issue:

Affects: fedora-all [bug 1297722]
Comment 2 Fedora Update System 2016-01-16 08:22:24 EST 
php-5.6.17-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 3 Fedora Update System 2016-01-16 09:20:19 EST 
php-5.6.17-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 4 Cedric Buissart 2016-01-29 05:36:30 EST 
Lowering the impact down to moderate based on the following :
 * WDDX packet deserialization should not be used with untrusted source :
http://php.net/manual/en/function.wddx-deserialize.php#refsect1-function.wddx-deserialize-returnvalues
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.