Bug 1185397 (CVE-2015-0231) - CVE-2015-0231 php: use after free vulnerability in unserialize() (incomplete fix of CVE-2014-8142)
Summary: CVE-2015-0231 php: use after free vulnerability in unserialize() (incomplete ...
Status: CLOSED ERRATA
Alias: CVE-2015-0231
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20150101,repor...
Keywords: Reopened, Security
Depends On: 1204765 1204766 1205733 1205734
Blocks: 1185412 1210213
TreeView+ depends on / blocked
 
Reported: 2015-01-23 16:01 UTC by Vasyl Kaigorodov
Modified: 2015-07-09 21:44 UTC (History)
9 users (show)

Fixed In Version: php 5.4.37, php 5.5.21, php 5.6.5
Doc Type: Bug Fix
Doc Text:
A use-after-free flaw was found in the way PHP's unserialize() function processed data. If a remote attacker was able to pass crafted input to PHP's unserialize() function, they could cause the PHP interpreter to crash or, possibly, execute arbitrary code.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-07-09 21:44:06 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1053 normal SHIPPED_LIVE Moderate: php55 security and bug fix update 2015-06-04 12:06:06 UTC
Red Hat Product Errata RHSA-2015:1066 normal SHIPPED_LIVE Important: php54 security and bug fix update 2015-06-05 15:42:20 UTC
Red Hat Product Errata RHSA-2015:1135 normal SHIPPED_LIVE Important: php security and bug fix update 2015-06-23 12:11:40 UTC

Description Vasyl Kaigorodov 2015-01-23 16:01:23 UTC
It was discovered that the fix for CVE-2014-8142 (use after free vulnerability in unserialize(), see bug 1175718) was incomplete.

Upstream bug:
https://bugs.php.net/bug.php?id=68710

Upstream commit:
http://git.php.net/?p=php-src.git;a=commitdiff;h=b585a3aed7880a5fa5c18e2b838fc96f40e075bd

Comment 1 Tomas Hoger 2015-01-30 20:15:43 UTC
Fixed upstream in PHP 5.6.5, 5.5.21, and 5.4.37:

http://php.net/ChangeLog-5.php#5.6.5
http://php.net/ChangeLog-5.php#5.5.21
http://php.net/ChangeLog-5.php#5.4.37

Comment 2 ksakai2 2015-02-03 02:37:24 UTC
When will updated package for php-5.3.3 in RHEL6 release?

Comment 3 Remi Collet 2015-02-03 06:14:42 UTC
AS for CVE-2014-8142, PHP 5.3 is not affected but this vulnerability.

Comment 4 Elan Ruusamäe 2015-02-05 10:18:45 UTC
(this is not redhat system below)

PHP 5.3.3 may not be affected, but my PHP 5.3.29 does crash:

[~/rpm/packages/php (PHP_5_3)⚡] ➔ gdb --args /usr/bin/php53  CVE-2015-0231.php 
GNU gdb (GDB) 7.8.1-1 (PLD Linux)
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-pld-linux".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/bin/php53...Reading symbols from /usr/lib/debug/usr/bin/php53.debug...done.
done.
(gdb) r
Starting program: /usr/bin/php53 CVE-2015-0231.php
warning: Could not load shared library symbols for linux-vdso.so.1.
Do you need "set solib-search-path" or "set sysroot"?
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
PHP Warning:  Cannot open '/usr/share/browscap/php_browscap.ini' for reading in Unknown on line 0
PHP 5.3.29 - php53-common-5.3.29-8.x86_64


Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7ca2644 in zend_get_class_entry (zobject=0x6ae558) at /usr/src/debug/php-5.3.29/Zend/zend_API.c:229
229             if (Z_OBJ_HT_P(zobject)->get_class_entry) {
(gdb) bt
#0  0x00007ffff7ca2644 in zend_get_class_entry (zobject=0x6ae558) at /usr/src/debug/php-5.3.29/Zend/zend_API.c:229
#1  0x00007ffff7b99732 in object_common2 (rval=0x7fffffff9f88, p=0x7fffffff9fa8, max=0x6a9b31 "", var_hash=0x7fffffff9fb0, elements=8)
    at /usr/src/debug/php-5.3.29/ext/standard/var_unserializer.c:374
#2  0x00007ffff7c3d678 in php_var_unserialize (rval=0x7fffffff9f88, p=0x7fffffff9fa8, max=0x6a9b31 "", var_hash=0x7fffffff9fb0)
    at /usr/src/debug/php-5.3.29/ext/standard/var_unserializer.c:684
#3  0x00007ffff7c2e886 in zif_unserialize (ht=<optimized out>, return_value=0x6ae558, return_value_ptr=<optimized out>, this_ptr=<optimized out>, 
    return_value_used=<optimized out>) at /usr/src/debug/php-5.3.29/ext/standard/var.c:936
#4  0x00007ffff7d2e60a in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff07bd068) at /usr/src/debug/php-5.3.29/Zend/zend_vm_execute.h:322
#5  0x00007ffff7ce4e43 in execute (op_array=0x6a9990) at /usr/src/debug/php-5.3.29/Zend/zend_vm_execute.h:107
#6  0x00007ffff7ca1b37 in zend_execute_scripts (type=7005528, type@entry=8, retval=0x6ad078, retval@entry=0x0, file_count=6322960, file_count@entry=3)
    at /usr/src/debug/php-5.3.29/Zend/zend.c:1331
#7  0x00007ffff7c4f86b in php_execute_script (primary_file=0x7fffffffc540) at /usr/src/debug/php-5.3.29/main/main.c:2331
#8  0x0000000000404182 in main (argc=7005528, argv=0x6ad078) at /usr/src/debug/php-5.3.29/sapi/cli/php_cli.c:1193
(gdb)

Comment 5 Elan Ruusamäe 2015-02-05 11:15:53 UTC
if someone interested, then i found patches for 5.3.29 from here:
https://webtatic.com/news/2015/01/latest-updates-php-5-3-29-4-security-release/
https://repo.webtatic.com/yum/centos/5/SRPMS/repoview/php.html

Comment 6 Fedora Update System 2015-02-06 03:59:39 UTC
php-5.6.5-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2015-02-06 04:03:24 UTC
php-5.5.21-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Vincent Danen 2015-02-09 14:29:03 UTC
Statement:

This issue did not affect the versions of php as shipped with Red Hat Enterprise Linux 5 and 6 or the versions of php53 as shipped with Red Hat Enterprise Linux 5 as the original flaw (CVE-2014-8142) did not affect these versions.

Comment 9 Remi Collet 2015-02-16 15:20:33 UTC
I confirm that php 5.3.3 is not affected.
None of the upstream reproducer cause segfault (bug 68594, 68710)

The affected piece of code have been add in 5.3.9 [1]
So this CVE probably affects php >= 5.3.9.



[1] https://github.com/php/php-src/commit/d3fdacb99fab186654bdf2f3adb17d9c628202f0

Comment 13 errata-xmlrpc 2015-06-04 08:03:30 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.5 EUS

Via RHSA-2015:1066 https://rhn.redhat.com/errata/RHSA-2015-1066.html

Comment 14 errata-xmlrpc 2015-06-04 08:06:51 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.5 EUS

Via RHSA-2015:1053 https://rhn.redhat.com/errata/RHSA-2015-1053.html

Comment 15 errata-xmlrpc 2015-06-23 08:11:54 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:1135 https://rhn.redhat.com/errata/RHSA-2015-1135.html


Note You need to log in before you can comment on or make changes to this bug.