Red Hat Bugzilla – Bug 690911
CVE-2011-1470 php: crash when processing certain Zip archives
Last modified: 2011-10-12 07:42:06 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2011-1470 to the following vulnerability: The Zip extension in PHP before 5.3.6 allows context-dependent attackers to cause a denial of service (application crash) via a ziparchive stream that is not properly handled by the stream_get_contents function. References: [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1470 [2] http://bugs.php.net/bug.php?id=53579 [3] http://www.php.net/ChangeLog-5.php Upstream patch: [4] http://svn.php.net/viewvc/?view=revision&revision=306493
Public PoC from [2]: ==================== <?php $target_file = 'META-INF/MANIFEST.MF'; $za = new ZipArchive(); if ($za->open('test.jar') !== TRUE) { return FALSE; } if ($za->statName($target_file) !== FALSE) { $fd = $za->getStream($target_file); } else { $fd = FALSE; } $za->close(); if (is_resource($fd)) { echo strlen(stream_get_contents($fd)); } ?>
Details from Joseph Orton: ========================= The fix for this one: http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/zip/zip_stream.c?r1=306493&r2=306492&pathrev=306493 ensures stream->orig_path is non-NULL in the zip stream object. This matters because php_zip_ops_stat assumes ->orig_path is non-NULL: static int php_zip_ops_stat(php_stream *stream, php_stream_statbuf *ssb TSRMLS_DC) /* {{{ */ { struct zip_stat sb; const char *path = stream->orig_path; int path_len = strlen(stream->orig_path); But php_zip_ops_stat() was only added in PHP 5.3.4; the function does not exist in 5.3.3, nor does anything else in ext/zip which assumes stream->orig_path is non-NULL. Conclusion: CVE-2011-1470 only affects PHP 5.3.4 and 5.3.5.
Statement: This issue does not affect the version of php shipped with Red Hat Enterprise Linux 4, 5 and 6. This issue does not affect the version of php53 shipped with Red Hat Enterprise Linux 5.