This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 598537 - (CVE-2010-2094, MOPS-2010-025, MOPS-2010-026, MOPS-2010-027, MOPS-2010-028) CVE-2010-2094 php: Multiple format string flaws in the phar extension (MOPS-2010-025 MOPS-2010-026 MOPS-2010-027 MOPS-2010-028)
CVE-2010-2094 php: Multiple format string flaws in the phar extension (MOPS-2...
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,source=cve,reported=2...
: Reopened, Security
Depends On: 624469
Blocks:
  Show dependency treegraph
 
Reported: 2010-06-01 11:21 EDT by Jan Lieskovsky
Modified: 2012-06-25 06:24 EDT (History)
2 users (show)

See Also:
Fixed In Version: php 5.3.3
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-06-25 05:57:35 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2010-06-01 11:21:44 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-2094 to
the following vulnerability:

Multiple format string vulnerabilities in the phar extension in PHP
5.3 before 5.3.2 allow context-dependent attackers to obtain sensitive
information (memory contents) and possibly execute arbitrary code via
a crafted phar:// URI that is not properly handled by the (1)
phar_stream_flush, (2) phar_wrapper_unlink, (3) phar_parse_url, or (4)
phar_wrapper_open_url functions in ext/phar/stream.c; and the (5)
phar_wrapper_open_dir function in ext/phar/dirstream.c, which triggers
errors in the php_stream_wrapper_log_error function.

References:
  [1] http://php-security.org/2010/05/14/mops-2010-024-php-phar_stream_flush-format-string-vulnerability/index.html
  [2] http://php-security.org/2010/05/14/mops-2010-025-php-phar_wrapper_open_dir-format-string-vulnerability/index.html
  [3] http://php-security.org/2010/05/14/mops-2010-026-php-phar_wrapper_unlink-format-string-vulnerability/index.html
  [4] http://php-security.org/2010/05/14/mops-2010-027-php-phar_parse_url-format-string-vulnerabilities/index.html
  [5] http://php-security.org/2010/05/14/mops-2010-028-php-phar_wrapper_open_url-format-string-vulnerabilities/index.html

Public PoC (from [1]):

$ php -r "fopen('phar:///usr/bin/phar.phar/*%08x-%08x-%08x-%08x-%08x-%08x-%08x-%08x-%08x','r');"

Credit: All flaws discovered by Stefan Esser.
Comment 4 Tomas Hoger 2010-06-28 05:53:49 EDT
Upstream commit (seems to pre-date MOPS advisories publication by 2+ weeks, but credits Stefan Esser):
  http://svn.php.net/viewvc?view=revision&revision=298667

This upstream commit does not fix phar_stream_flush() case mentioned in MOPS-2010-024.
Comment 5 Tomas Hoger 2010-06-28 06:18:37 EDT
Affected code only exists in PHP 5.3 and later.

Statement:

Not vulnerable. This issue did not affect the versions of php as shipped with Red Hat Enterprise Linux 3, 4, or 5, and Red Hat Application Stack v2.
Comment 7 Tomas Hoger 2010-08-23 03:12:49 EDT
(In reply to comment #4)
>   http://svn.php.net/viewvc?view=revision&revision=298667
> 
> This upstream commit does not fix phar_stream_flush() case mentioned in
> MOPS-2010-024.

Fixed now in:
  http://svn.php.net/viewvc?view=revision&revision=302565
Comment 8 Tomas Hoger 2010-08-25 11:35:59 EDT
(In reply to comment #7)
> (In reply to comment #4)
> >   http://svn.php.net/viewvc?view=revision&revision=298667
> > 
> > This upstream commit does not fix phar_stream_flush() case mentioned in
> > MOPS-2010-024.
> 
> Fixed now in:
>   http://svn.php.net/viewvc?view=revision&revision=302565

This got CVE-2010-2950.
Comment 9 Vincent Danen 2010-12-10 16:08:34 EST
This is fixed in upstream 5.3.4 now.
Comment 14 Huzaifa S. Sidhpurwala 2012-06-25 05:55:29 EDT
Removing CVE-2010-2950 from this bug and filing it separately as bug 835024

Note You need to log in before you can comment on or make changes to this bug.