Bug 1207676 (CVE-2015-2787) - CVE-2015-2787 php: use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re
Summary: CVE-2015-2787 php: use-after-free vulnerability in the process_nested_data fu...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-2787
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20150302,repor...
Depends On: 1204762 1204763 1204765 1204766 1207678 1209880 1209884 1209887
Blocks: 1207679 1210213
TreeView+ depends on / blocked
 
Reported: 2015-03-31 13:16 UTC by Vasyl Kaigorodov
Modified: 2019-06-08 20:31 UTC (History)
17 users (show)

Fixed In Version: PHP 5.4.39, PHP 5.5.23, PHP 5.6.7
Doc Type: Bug Fix
Doc Text:
A flaws was discovered in the way PHP performed object unserialization. Specially crafted input processed by the unserialize() function could cause a PHP application to crash or, possibly, execute arbitrary code.
Clone Of:
Environment:
Last Closed: 2015-07-09 21:46:10 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1053 normal SHIPPED_LIVE Moderate: php55 security and bug fix update 2015-06-04 12:06:06 UTC
PHP Bug Tracker 68976 None None None Never
Red Hat Product Errata RHSA-2015:1066 normal SHIPPED_LIVE Important: php54 security and bug fix update 2015-06-05 15:42:20 UTC
Red Hat Product Errata RHSA-2015:1135 normal SHIPPED_LIVE Important: php security and bug fix update 2015-06-23 12:11:40 UTC
Red Hat Product Errata RHSA-2015:1218 normal SHIPPED_LIVE Moderate: php security update 2015-07-09 21:01:41 UTC

Description Vasyl Kaigorodov 2015-03-31 13:16:17 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2015-2787 to
the following vulnerability:

Name: CVE-2015-2787
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2787
Assigned: 20150329
Reference: https://gist.github.com/smalyshev/eea9eafc7c88a4a6d10d

Use-after-free vulnerability in the process_nested_data function in
ext/standard/var_unserializer.re in PHP before 5.4.39, 5.5.x before
5.5.23, and 5.6.x before 5.6.7 allows remote attackers to execute
arbitrary code via a crafted unserialize call that leverages use of
the unset function within an __wakeup function, a related issue to
CVE-2015-0231.

Comment 1 Vasyl Kaigorodov 2015-03-31 13:17:10 UTC
Created php tracking bugs for this issue:

Affects: fedora-all [bug 1207678]

Comment 9 Carl Riches 2015-05-04 19:59:24 UTC
Can you provide an update on the status of this bug?  The NIST NVD shows a higher vuln score than your whiteboard comments show (above).  This is the NIST rating:

 Original release date: 03/30/2015
Last revised: 04/13/2015
Source: US-CERT/NIST 

CVSS Severity (version 2.0):
  CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P)
  Impact Subscore: 6.4
  Exploitability Subscore: 10.0
CVSS Version 2 Metrics:
  Access Vector: Network exploitable
  Access Complexity: Low
  Authentication: Not required to exploit
  Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service 

(from https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2787)

They have placed the severity of this vuln at a higher level than shown in your whiteboard comments (above).

Thanks.

Comment 10 errata-xmlrpc 2015-06-04 08:04:19 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.5 EUS

Via RHSA-2015:1066 https://rhn.redhat.com/errata/RHSA-2015-1066.html

Comment 11 errata-xmlrpc 2015-06-04 08:07:42 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.5 EUS

Via RHSA-2015:1053 https://rhn.redhat.com/errata/RHSA-2015-1053.html

Comment 12 errata-xmlrpc 2015-06-23 08:12:40 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:1135 https://rhn.redhat.com/errata/RHSA-2015-1135.html

Comment 13 errata-xmlrpc 2015-07-09 17:07:32 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:1218 https://rhn.redhat.com/errata/RHSA-2015-1218.html


Note You need to log in before you can comment on or make changes to this bug.