Common Vulnerabilities and Exposures assigned an identifier CVE-2010-2094 to the following vulnerability: Multiple format string vulnerabilities in the phar extension in PHP 5.3 before 5.3.2 allow context-dependent attackers to obtain sensitive information (memory contents) and possibly execute arbitrary code via a crafted phar:// URI that is not properly handled by the (1) phar_stream_flush, (2) phar_wrapper_unlink, (3) phar_parse_url, or (4) phar_wrapper_open_url functions in ext/phar/stream.c; and the (5) phar_wrapper_open_dir function in ext/phar/dirstream.c, which triggers errors in the php_stream_wrapper_log_error function. References: [1] http://php-security.org/2010/05/14/mops-2010-024-php-phar_stream_flush-format-string-vulnerability/index.html [2] http://php-security.org/2010/05/14/mops-2010-025-php-phar_wrapper_open_dir-format-string-vulnerability/index.html [3] http://php-security.org/2010/05/14/mops-2010-026-php-phar_wrapper_unlink-format-string-vulnerability/index.html [4] http://php-security.org/2010/05/14/mops-2010-027-php-phar_parse_url-format-string-vulnerabilities/index.html [5] http://php-security.org/2010/05/14/mops-2010-028-php-phar_wrapper_open_url-format-string-vulnerabilities/index.html Public PoC (from [1]): $ php -r "fopen('phar:///usr/bin/phar.phar/*%08x-%08x-%08x-%08x-%08x-%08x-%08x-%08x-%08x','r');" Credit: All flaws discovered by Stefan Esser.
Upstream commit (seems to pre-date MOPS advisories publication by 2+ weeks, but credits Stefan Esser): http://svn.php.net/viewvc?view=revision&revision=298667 This upstream commit does not fix phar_stream_flush() case mentioned in MOPS-2010-024.
Affected code only exists in PHP 5.3 and later. Statement: Not vulnerable. This issue did not affect the versions of php as shipped with Red Hat Enterprise Linux 3, 4, or 5, and Red Hat Application Stack v2.
(In reply to comment #4) > http://svn.php.net/viewvc?view=revision&revision=298667 > > This upstream commit does not fix phar_stream_flush() case mentioned in > MOPS-2010-024. Fixed now in: http://svn.php.net/viewvc?view=revision&revision=302565
(In reply to comment #7) > (In reply to comment #4) > > http://svn.php.net/viewvc?view=revision&revision=298667 > > > > This upstream commit does not fix phar_stream_flush() case mentioned in > > MOPS-2010-024. > > Fixed now in: > http://svn.php.net/viewvc?view=revision&revision=302565 This got CVE-2010-2950.
This is fixed in upstream 5.3.4 now.
Removing CVE-2010-2950 from this bug and filing it separately as bug 835024