Bug 688378 (CVE-2011-1153) - CVE-2011-1153 php: several format string vulnerabilities in PHP's Phar extension
Summary: CVE-2011-1153 php: several format string vulnerabilities in PHP's Phar extension
Alias: CVE-2011-1153
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2011-03-16 22:02 UTC by Vincent Danen
Modified: 2021-02-24 16:18 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2011-04-29 22:28:46 UTC

Attachments (Terms of Use)

Description Vincent Danen 2011-03-16 22:02:23 UTC
Several format string flaws were found in PHP's Phar extension [1] that could be used to leak some parts of memory via error messages.  These have been corrected in upstream svn [2].  The Phar extension is part of PHP since 5.3.0.

This is demonstrated with the following:


$x = new PharData('a.php');


% php phar.php 
PHP Fatal error:  Uncaught exception 'PharException' with message 'unable to open phar for reading "00000000.00000008.00000000.bffb3624.081ef712"' in /tmp/tests/phar.php:4
Stack trace:
#0 /tmp/tests/phar.php(4): PharData::loadPhar('%08x.%08x.%08x....')
#1 {main}
  thrown in /tmp/tests/phar.php on line 4

[1] http://bugs.php.net/bug.php?id=54247
[2] http://svn.php.net/viewvc?view=revision&revision=309221

Comment 1 Vincent Danen 2011-03-16 22:15:07 UTC
I'm not very familiar with these phar archives, but I suspect these would not be something a user could just upload (or a normal site would allow to be uploaded and then loaded), so I believe this flaw is probably more of a local flaw, than a remote flaw.

Comment 11 Vincent Danen 2011-04-29 22:28:46 UTC

Red Hat does not consider this flaw to be a security issue.  It is improbable that a script would accept untrusted user input or unvalidated script input data as a PHAR archive file name to load.  The file name passed to the PHAR-handling functions is therefore under the full control of the script author and no trust boundary is crossed.

Note You need to log in before you can comment on or make changes to this bug.