Bug 1471842 - (CVE-2017-11147) CVE-2017-11147 php: Out-of-bounds read in phar_parse_pharfile
CVE-2017-11147 php: Out-of-bounds read in phar_parse_pharfile
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20161217,repor...
: Security
Depends On:
Blocks: 1471847
  Show dependency treegraph
 
Reported: 2017-07-17 10:19 EDT by Adam Mariš
Modified: 2017-08-31 10:12 EDT (History)
9 users (show)

See Also:
Fixed In Version: php 5.6.30, php 7.0.15
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-08-31 10:10:33 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Adam Mariš 2017-07-17 10:19:25 EDT
In PHP before 5.6.30 and 7.x before 7.0.15, the PHAR archive handler
could be used by attackers supplying malicious archive files to crash
the PHP interpreter or potentially disclose information due to a buffer
over-read in the phar_parse_pharfile function in ext/phar/phar.c.

Upstream bug:

https://bugs.php.net/bug.php?id=73773

Upstream patch:

http://git.php.net/?p=php-src.git;a=commit;h=e5246580a85f031e1a3b8064edbaa55c1643a451
Comment 1 Raphael Sanchez Prudencio 2017-08-30 15:19:09 EDT
For some reason, example_hostile.phar provided at php bug report does not trigger this vulnerability, but CVE-2016-10159.phar does. This vulnerability is exactly the same problem as in CVE-2016-10159, it was reported again because the fix was not enough and it was still vulnerable.
Comment 2 Remi Collet 2017-08-31 00:52:50 EDT
About security issues in .phar file

.phar is an archive format designed to distribution application (code, mostly as .war for java)

The format also includes metadata which are stored as serialized strings (so which are affected by all serialized issues, including class leak and wakeup)

In the future, the PHP security team will not manage such issue as security

Serious applications will never allow upload of such file (for ex, I checked Wordpress and GLPI)
Comment 3 Raphael Sanchez Prudencio 2017-08-31 10:12:56 EDT
Statement:

Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Note You need to log in before you can comment on or make changes to this bug.