Red Hat Bugzilla – Bug 1471842
CVE-2017-11147 php: Out-of-bounds read in phar_parse_pharfile
Last modified: 2017-08-31 10:12:56 EDT
In PHP before 5.6.30 and 7.x before 7.0.15, the PHAR archive handler
could be used by attackers supplying malicious archive files to crash
the PHP interpreter or potentially disclose information due to a buffer
over-read in the phar_parse_pharfile function in ext/phar/phar.c.
For some reason, example_hostile.phar provided at php bug report does not trigger this vulnerability, but CVE-2016-10159.phar does. This vulnerability is exactly the same problem as in CVE-2016-10159, it was reported again because the fix was not enough and it was still vulnerable.
About security issues in .phar file
.phar is an archive format designed to distribution application (code, mostly as .war for java)
The format also includes metadata which are stored as serialized strings (so which are affected by all serialized issues, including class leak and wakeup)
In the future, the PHP security team will not manage such issue as security
Serious applications will never allow upload of such file (for ex, I checked Wordpress and GLPI)
Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.