Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be unavailable on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1416499 (CVE-2016-7480) - CVE-2016-7480 php: Use of uninitialized value in SplObjectStorag::unserialize
Summary: CVE-2016-7480 php: Use of uninitialized value in SplObjectStorag::unserialize
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2016-7480
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-01-25 16:05 UTC by Adam Mariš
Modified: 2021-02-17 02:43 UTC (History)
9 users (show)

Fixed In Version: php 7.0.12
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-01-25 16:10:35 UTC


Attachments (Terms of Use)

Description Adam Mariš 2017-01-25 16:05:54 UTC
The SplObjectStorage unserialize implementation in ext/spl/spl_observer.c in PHP before 7.0.12 does not verify that a key is an object, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access) via crafted serialized data.

Upstream bug:

https://bugs.php.net/bug.php?id=73257

Upstream patch:

https://github.com/php/php-src/commit/61cdd1255d5b9c8453be71aacbbf682796ac77d4

External References:

http://blog.checkpoint.com/2016/12/27/check-point-discovers-three-zero-day-vulnerabilities-web-programming-language-php-7/

Comment 1 Adam Mariš 2017-01-25 16:10:35 UTC
This issue happens when untrusted input is being unserialized which is documented as being insecure. Unserialization can result in code being loaded and executed due to object instantiation and autoloading, and a malicious user may be able to exploit this. Consider using safe, standard data interchange  format such as JSON.


Note You need to log in before you can comment on or make changes to this bug.