Bug 1154500 (CVE-2014-3669) - CVE-2014-3669 php: integer overflow in unserialize()
Summary: CVE-2014-3669 php: integer overflow in unserialize()
Status: CLOSED ERRATA
Alias: CVE-2014-3669
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20140918,repor...
Keywords: Security
Depends On: 1154638 1154639 1155019 1155020 1155021 1155022 1155023 1155024 1170147
Blocks: 1149858 1154506
TreeView+ depends on / blocked
 
Reported: 2014-10-20 04:17 UTC by Murray McAllister
Modified: 2018-12-09 18:54 UTC (History)
10 users (show)

Fixed In Version: php 5.4.34, php 5.5.18, php 5.6.2
Doc Type: Bug Fix
Doc Text:
An integer overflow flaw was found in the way custom objects were unserialized. Specially crafted input processed by the unserialize() function could cause a PHP application to crash.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-11-06 17:59:07 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:1765 normal SHIPPED_LIVE Important: php54-php security update 2014-10-30 23:45:24 UTC
Red Hat Product Errata RHSA-2014:1766 normal SHIPPED_LIVE Important: php55-php security update 2014-10-30 23:45:12 UTC
Red Hat Product Errata RHSA-2014:1767 normal SHIPPED_LIVE Important: php security update 2014-10-31 00:16:02 UTC
Red Hat Product Errata RHSA-2014:1768 normal SHIPPED_LIVE Important: php53 security update 2014-10-30 23:44:46 UTC
Red Hat Product Errata RHSA-2014:1824 normal SHIPPED_LIVE Important: php security update 2014-11-06 21:59:32 UTC
Red Hat Product Errata RHSA-2015:0021 normal SHIPPED_LIVE Important: php security update 2015-01-08 23:15:58 UTC
PHP Bug Tracker 68044 None None None Never

Description Murray McAllister 2014-10-20 04:17:05 UTC
An integer overflow flaw in PHP's unserialize() function was reported. If unserialize() were used on untrusted data, this issue could lead to a crash or potentially information disclosure. It is not clear if code execution is possible or not.

It was reported that this issue only affects 32-bit systems. It has been fixed in upstream versions 5.4.34, 5.5.18, and 5.6.2.

References:
http://git.php.net/?p=php-src.git;a=commit;h=56754a7f9eba0e4f559b6ca081d9f2a447b3f159
https://bugs.php.net/bug.php?id=68044
http://php.net/ChangeLog-5.php

Comment 2 Murray McAllister 2014-10-20 04:23:28 UTC
5.5.18 is already in Fedora testing, so no Fedora trackers for this (or bug 1154502 and bug 1154503)

Comment 9 Tomas Hoger 2014-10-21 11:50:19 UTC
(In reply to Murray McAllister from comment #0)
> It was reported that this issue only affects 32-bit systems.

This issue does not seem to be 32-bit specific per se.  Problematic code check is:

  pointer1 + long >= pointer2

Attacker providing crafted serialized input has full control over the long value.  As the variable is signed, and there is another check to ensure that its value is not negative, overflow can happen if pointer1 + long overflow.  That can only happen if pointer1 points to the upper half of the address range, as the maximum long value is approximately half of the maximum pointer value.  That is lot more likely on 32-bit systems than on 64-bit systems.  Attacker has limited control over pointer1.

Comment 13 Martin Prpič 2014-10-30 11:11:47 UTC
IssueDescription:

An integer overflow flaw was found in the way custom objects were unserialized. Specially crafted input processed by the unserialize() function could cause a PHP application to crash.

Comment 14 errata-xmlrpc 2014-10-30 19:45:38 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5

Via RHSA-2014:1768 https://rhn.redhat.com/errata/RHSA-2014-1768.html

Comment 15 errata-xmlrpc 2014-10-30 19:47:01 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections 1 for Red Hat Enterprise Linux 7
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.5 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6

Via RHSA-2014:1766 https://rhn.redhat.com/errata/RHSA-2014-1766.html

Comment 16 errata-xmlrpc 2014-10-30 19:49:31 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections 1 for Red Hat Enterprise Linux 7
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.5 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6

Via RHSA-2014:1765 https://rhn.redhat.com/errata/RHSA-2014-1765.html

Comment 17 errata-xmlrpc 2014-10-30 20:16:23 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2014:1767 https://rhn.redhat.com/errata/RHSA-2014-1767.html

Comment 18 errata-xmlrpc 2014-11-06 17:01:36 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5

Via RHSA-2014:1824 https://rhn.redhat.com/errata/RHSA-2014-1824.html

Comment 20 errata-xmlrpc 2015-01-08 18:16:58 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.5 EUS - Server and Compute Node Only

Via RHSA-2015:0021 https://rhn.redhat.com/errata/RHSA-2015-0021.html


Note You need to log in before you can comment on or make changes to this bug.