Bug 1223441 (CVE-2015-3307) - CVE-2015-3307 php: invalid pointer free() in phar_tar_process_metadata()
Summary: CVE-2015-3307 php: invalid pointer free() in phar_tar_process_metadata()
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-3307
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1228052 1228053 1228070 1228071 1228072 1228073 1228074 1228075 1228076 1228077
Blocks: 1213462
TreeView+ depends on / blocked
 
Reported: 2015-05-20 14:00 UTC by Vasyl Kaigorodov
Modified: 2021-02-17 05:15 UTC (History)
17 users (show)

Fixed In Version: php 5.4.40, php 5.5.24, php 5.6.8
Doc Type: Bug Fix
Doc Text:
An invalid free flaw was found in the way PHP's Phar extension parsed Phar archives. A specially crafted archive could cause PHP to crash or, possibly, execute arbitrary code when opened.
Clone Of:
Environment:
Last Closed: 2015-07-09 21:34:21 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1066 0 normal SHIPPED_LIVE Important: php54 security and bug fix update 2015-06-05 15:42:20 UTC
Red Hat Product Errata RHSA-2015:1135 0 normal SHIPPED_LIVE Important: php security and bug fix update 2015-06-23 12:11:40 UTC
Red Hat Product Errata RHSA-2015:1186 0 normal SHIPPED_LIVE Important: php55-php security update 2015-06-25 12:31:54 UTC
Red Hat Product Errata RHSA-2015:1187 0 normal SHIPPED_LIVE Important: rh-php56-php security update 2015-06-25 12:43:17 UTC
Red Hat Product Errata RHSA-2015:1218 0 normal SHIPPED_LIVE Moderate: php security update 2015-07-09 21:01:41 UTC

Description Vasyl Kaigorodov 2015-05-20 14:00:46 UTC 
A vulnerability in PHP was reported whereby the Heap header gets misaligned resulting in the corruption of the heap chunk's metadata.

A heap chunk is allocated in ext/phar/tar.c:167

   metadata = (char *) safe_emalloc(1, entry->uncompressed_filesize, 1);

A reference to this heap chunk is passed into phar_parse_metadata() at ext/phar/tar.c:176

   if (phar_parse_metadata(&metadata, &entry->metadata, entry->uncompressed_filesize TSRMLS_CC) == FAILURE) {

The following gets called within phar_parse_metadata:611 when zip_metadata_len==0

   PHAR_GET_32(*buffer, buf_len);

This moves the pointer referencing the heap chunk by 4 bytes.

When the heap chunk gets freeed at at tar.c:177:

   efree(metadata);

The heap chunk is now misaligned by 4 bytes. In other words: ZEND_MM_HEADER_OF(metadata).info._size is now
ZEND_MM_HEADER_OF(metadata).info._prev and ZEND_MM_HEADER_OF(metadata).info._prev is tainted with the body's data.

Upstream bug:
https://bugs.php.net/bug.php?id=69443

Upstream patch:
http://git.php.net/?p=php-src.git;a=commitdiff;h=17cbd0b5b78a7500f185b3781a2149881bfff8ae

This patch was for CVE-2015-2783 (bug 1213446), but it inadvertently resolved this vulnerability as well. The vulnerable line that was removed was on ext/phar/phar.c:611

  PHAR_GET_32(*buffer, buf_len);
Comment 1 Vasyl Kaigorodov 2015-05-20 14:02:15 UTC 
Original report: http://seclists.org/oss-sec/2015/q2/477
Comment 7 Tomas Hoger 2015-06-05 14:48:10 UTC 
The PHP packages as shipped as part of the php54 collection in Red Hat Software Collections were updated to fixed upstream version 5.4.40 via RHSA-2015:1066 released as part of Red Hat Software Collections 2.0.


This issue has been addressed in the php54-php packages in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.5 EUS

Via RHSA-2015:1066 https://rhn.redhat.com/errata/RHSA-2015-1066.html
Comment 8 Angelo Alvarez 2015-06-11 00:56:43 UTC 
Why is it that there is no information on the CVE page as to which PHP versions are affected??  This is frustrating!!! :(  Can someone please help out the customers and update the page?
https://access.redhat.com/security/cve/CVE-2015-3307
Comment 9 errata-xmlrpc 2015-06-23 08:13:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:1135 https://rhn.redhat.com/errata/RHSA-2015-1135.html
Comment 10 errata-xmlrpc 2015-06-25 08:32:46 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS

Via RHSA-2015:1186 https://rhn.redhat.com/errata/RHSA-2015-1186.html
Comment 11 errata-xmlrpc 2015-06-25 08:44:05 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS

Via RHSA-2015:1187 https://rhn.redhat.com/errata/RHSA-2015-1187.html
Comment 12 Martin Prpič 2015-06-29 09:43:01 UTC 
Statement:

This issue affected all versions of PHP shipped in various Red Hat products, except version PHP 5.1.x that is shipped with Red Hat Enterprise Linux 5.
Comment 13 errata-xmlrpc 2015-07-09 17:08:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:1218 https://rhn.redhat.com/errata/RHSA-2015-1218.html
Note You need to log in before you can comment on or make changes to this bug.