Bug 598537 (CVE-2010-2094, MOPS-2010-025, MOPS-2010-026, MOPS-2010-027, MOPS-2010-028) - CVE-2010-2094 php: Multiple format string flaws in the phar extension (MOPS-2010-025 MOPS-2010-026 MOPS-2010-027 MOPS-2010-028)
Summary: CVE-2010-2094 php: Multiple format string flaws in the phar extension (MOPS-2...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2010-2094, MOPS-2010-025, MOPS-2010-026, MOPS-2010-027, MOPS-2010-028
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 624469
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-06-01 15:21 UTC by Jan Lieskovsky
Modified: 2021-02-24 23:03 UTC (History)
2 users (show)

Fixed In Version: php 5.3.3
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-06-25 09:57:35 UTC
Embargoed:

Attachments (Terms of Use)

Description Jan Lieskovsky 2010-06-01 15:21:44 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-2094 to
the following vulnerability:

Multiple format string vulnerabilities in the phar extension in PHP
5.3 before 5.3.2 allow context-dependent attackers to obtain sensitive
information (memory contents) and possibly execute arbitrary code via
a crafted phar:// URI that is not properly handled by the (1)
phar_stream_flush, (2) phar_wrapper_unlink, (3) phar_parse_url, or (4)
phar_wrapper_open_url functions in ext/phar/stream.c; and the (5)
phar_wrapper_open_dir function in ext/phar/dirstream.c, which triggers
errors in the php_stream_wrapper_log_error function.

References:
  [1] http://php-security.org/2010/05/14/mops-2010-024-php-phar_stream_flush-format-string-vulnerability/index.html
  [2] http://php-security.org/2010/05/14/mops-2010-025-php-phar_wrapper_open_dir-format-string-vulnerability/index.html
  [3] http://php-security.org/2010/05/14/mops-2010-026-php-phar_wrapper_unlink-format-string-vulnerability/index.html
  [4] http://php-security.org/2010/05/14/mops-2010-027-php-phar_parse_url-format-string-vulnerabilities/index.html
  [5] http://php-security.org/2010/05/14/mops-2010-028-php-phar_wrapper_open_url-format-string-vulnerabilities/index.html

Public PoC (from [1]):

$ php -r "fopen('phar:///usr/bin/phar.phar/*%08x-%08x-%08x-%08x-%08x-%08x-%08x-%08x-%08x','r');"

Credit: All flaws discovered by Stefan Esser.
Comment 4 Tomas Hoger 2010-06-28 09:53:49 UTC 
Upstream commit (seems to pre-date MOPS advisories publication by 2+ weeks, but credits Stefan Esser):
  http://svn.php.net/viewvc?view=revision&revision=298667

This upstream commit does not fix phar_stream_flush() case mentioned in MOPS-2010-024.
Comment 5 Tomas Hoger 2010-06-28 10:18:37 UTC 
Affected code only exists in PHP 5.3 and later.

Statement:

Not vulnerable. This issue did not affect the versions of php as shipped with Red Hat Enterprise Linux 3, 4, or 5, and Red Hat Application Stack v2.
Comment 7 Tomas Hoger 2010-08-23 07:12:49 UTC 
(In reply to comment #4)
>   http://svn.php.net/viewvc?view=revision&revision=298667
> 
> This upstream commit does not fix phar_stream_flush() case mentioned in
> MOPS-2010-024.

Fixed now in:
  http://svn.php.net/viewvc?view=revision&revision=302565
Comment 8 Tomas Hoger 2010-08-25 15:35:59 UTC 
(In reply to comment #7)
> (In reply to comment #4)
> >   http://svn.php.net/viewvc?view=revision&revision=298667
> > 
> > This upstream commit does not fix phar_stream_flush() case mentioned in
> > MOPS-2010-024.
> 
> Fixed now in:
>   http://svn.php.net/viewvc?view=revision&revision=302565

This got CVE-2010-2950.
Comment 9 Vincent Danen 2010-12-10 21:08:34 UTC 
This is fixed in upstream 5.3.4 now.
Comment 14 Huzaifa S. Sidhpurwala 2012-06-25 09:55:29 UTC 
Removing CVE-2010-2950 from this bug and filing it separately as bug 835024
Note You need to log in before you can comment on or make changes to this bug.