674699 – (CVE-2011-0752) CVE-2011-0752 php: extract() can overwrite $GLOBALS and $this when using EXTR_OVERWRITE

Bug 674699 (CVE-2011-0752) - CVE-2011-0752 php: extract() can overwrite $GLOBALS and $this when using EXTR_OVERWRITE

Summary: CVE-2011-0752 php: extract() can overwrite $GLOBALS and $this when using EXTR...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2011-0752
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-02-02 23:27 UTC by Vincent Danen
Modified:	2021-02-24 16:38 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2011-02-28 18:02:55 UTC
Embargoed:

Attachments	(Terms of Use)

Description Vincent Danen 2011-02-02 23:27:23 UTC

Common Vulnerabilities and Exposures assigned an identifier CVE-2011-0752 to
the following vulnerability:

Name: CVE-2011-0752
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0752
Assigned: 20110202
Reference: MLIST:[oss-security] 20101213 Re: Issues without CVE names in PHP 5.3.4/5.2.15 release
Reference: URL: http://www.openwall.com/lists/oss-security/2010/12/13/4
Reference: CONFIRM: http://www.php.net/ChangeLog-5.php
Reference: CONFIRM: http://www.php.net/archive/2010.php#id2010-12-10-1
Reference: CONFIRM: http://www.php.net/releases/5_2_15.php

The extract function in PHP before 5.2.15 does not prevent use of the
EXTR_OVERWRITE parameter to overwrite (1) the GLOBALS superglobal
array and (2) the this variable, which allows context-dependent
attackers to bypass intended access restrictions by modifying data
structures that were not intended to depend on external input, a
related issue to CVE-2005-2691 and CVE-2006-3758.


Upstream has indicated [1] that listing this under the security fixes in 5.2.15 was a mistake.  The 5.3.4 release that also fixes this bug lists it under "Core" [2], rather than under security fixes.

[1] http://www.openwall.com/lists/oss-security/2010/12/13/6
[2] http://www.php.net/ChangeLog-5.php#5.3.4

Comment 1 Vincent Danen 2011-02-02 23:36:40 UTC

Upstream commit:

http://svn.php.net/viewvc/php/php-src/trunk/ext/standard/array.c?r1=305011&r2=305570

Doesn't look to affect PHP 5.1.x at all.

Comment 4 Tomas Hoger 2011-02-28 18:02:55 UTC

Closing as not-a-security bug as explained in comment #2.

For posterity, this was fixed in php53 in RHEL-5 before these packages were added in 5.6 (bug #655330) and is planned to be fixed as non-security bug in php update in RHEL-6.1 (bug #655118).

Comment 5 Vincent Danen 2011-07-27 17:12:16 UTC

Statement:

We do not consider this flaw to be a security issue as it is only exploitable by the script author. No trust boundary is crossed.

This issue did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 3, 4, or 5 (php). This issue was addressed in the php53 packages as shipped in Red Hat Enterprise Linux 5 before their first release in Red Hat Enterprise Linux 5.6, and it was addressed in the php package in Red Hat Enterprise Linux 6 via RHBA-2011:0615.

Note You need to log in before you can comment on or make changes to this bug.