Bugzilla – Bug 886059
VUL-0: CVE-2014-4670: php5,php53: SPL Iterators use-after-free
Last modified: 2020-05-18 11:53:52 UTC
CVE-2014-4670 Description: ------------ SPL provides a set of iterators to traverse over objects (including internal iterators). Changes in the object are not projected to the object iterators. This results in iterators pointing to freed memory. Calling next on the iterator triggers use-after-free. Please use CVE-2014-4670 for this bug. Test script: --------------- <?php $list = new SplDoublyLinkedList(); $list->push('a'); $list->push('b'); $list->rewind(); $list->offsetUnset(0); $list->push('c'); $list->offsetUnset(0); $list->next(); Actual result: -------------- $ USE_ZEND_ALLOC=0 valgrind /opt/php/5.5.14/bin/php test.php ==14274== Memcheck, a memory error detector ==14274== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al. ==14274== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info ==14274== Command: /opt/php/5.5.14/bin/php test.php ==14274== ==14274== Invalid read of size 4 ==14274== at 0x8367BCC: spl_dllist_it_helper_move_forward (spl_dllist.c:989) ==14274== by 0x852E1B1: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:550) ==14274== by 0x84F0935: execute_ex (zend_vm_execute.h:363) ==14274== by 0x8488C71: zend_execute_scripts (zend.c:1316) ==14274== by 0x842943A: php_execute_script (main.c:2506) ==14274== by 0x8531447: do_cli (php_cli.c:994) ==14274== by 0x808149B: main (php_cli.c:1378) ==14274== Address 0x716b748 is 8 bytes inside a block of size 16 free'd ==14274== at 0x402750C: free (vg_replace_malloc.c:427) ==14274== by 0x83688FF: zim_spl_SplDoublyLinkedList_offsetUnset (spl_dllist.c:922) ==14274== by 0x852E1B1: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:550) ==14274== by 0x84F0935: execute_ex (zend_vm_execute.h:363) ==14274== by 0x8488C71: zend_execute_scripts (zend.c:1316) ==14274== by 0x842943A: php_execute_script (main.c:2506) ==14274== by 0x8531447: do_cli (php_cli.c:994) ==14274== by 0x808149B: main (php_cli.c:1378) References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4670 http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-4670.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4670
bugbot adjusting priority
bug https://bugs.php.net/bug.php?id=67538 commit http://git.php.net/?p=php-src.git;a=commit;h=df78c48354f376cf419d7a97f88ca07d572f00fb
php 5.5.14 affected as well, submitted to factory and sle12.
This is an autogenerated message for OBS integration: This bug (886059) was mentioned in https://build.opensuse.org/request/show/241423 Factory / php5
Packages submitted.
Affected packages: SLE-11-SP3: php53
SUSE-SU-2014:0938-1: An update that fixes 9 vulnerabilities is now available. Category: security (moderate) Bug References: 884986,884987,884989,884990,884991,884992,885961,886059,886060 CVE References: CVE-2014-0207,CVE-2014-3478,CVE-2014-3479,CVE-2014-3480,CVE-2014-3487,CVE-2014-3515,CVE-2014-4670,CVE-2014-4698,CVE-2014-4721 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): php53-5.3.17-0.27.1 SUSE Linux Enterprise Server 11 SP3 for VMware (src): php53-5.3.17-0.27.1 SUSE Linux Enterprise Server 11 SP3 (src): php53-5.3.17-0.27.1
fixed and released
openSUSE-SU-2014:0945-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 885961,886059,886060 CVE References: CVE-2014-4670,CVE-2014-4698,CVE-2014-4721 Sources used: openSUSE 13.1 (src): php5-5.4.20-21.1 openSUSE 12.3 (src): php5-5.3.17-3.25.1
This is an autogenerated message for OBS integration: This bug (886059) was mentioned in https://build.opensuse.org/request/show/249993 Evergreen:11.4 / php5.openSUSE_Evergreen_11.4
SUSE-SU-2016:1638-1: An update that fixes 85 vulnerabilities is now available. Category: security (important) Bug References: 884986,884987,884989,884990,884991,884992,885961,886059,886060,893849,893853,902357,902360,902368,910659,914690,917150,918768,919080,921950,922451,922452,923945,924972,925109,928506,928511,931421,931769,931772,931776,933227,935074,935224,935226,935227,935229,935232,935234,935274,935275,938719,938721,942291,942296,945412,945428,949961,968284,969821,971611,971612,971912,973351,973792,976996,976997,977003,977005,977991,977994,978827,978828,978829,978830,980366,980373,980375,981050,982010,982011,982012,982013,982162 CVE References: CVE-2004-1019,CVE-2006-7243,CVE-2014-0207,CVE-2014-3478,CVE-2014-3479,CVE-2014-3480,CVE-2014-3487,CVE-2014-3515,CVE-2014-3597,CVE-2014-3668,CVE-2014-3669,CVE-2014-3670,CVE-2014-4049,CVE-2014-4670,CVE-2014-4698,CVE-2014-4721,CVE-2014-5459,CVE-2014-8142,CVE-2014-9652,CVE-2014-9705,CVE-2014-9709,CVE-2014-9767,CVE-2015-0231,CVE-2015-0232,CVE-2015-0273,CVE-2015-1352,CVE-2015-2301,CVE-2015-2305,CVE-2015-2783,CVE-2015-2787,CVE-2015-3152,CVE-2015-3329,CVE-2015-3411,CVE-2015-3412,CVE-2015-4021,CVE-2015-4022,CVE-2015-4024,CVE-2015-4026,CVE-2015-4116,CVE-2015-4148,CVE-2015-4598,CVE-2015-4599,CVE-2015-4600,CVE-2015-4601,CVE-2015-4602,CVE-2015-4603,CVE-2015-4643,CVE-2015-4644,CVE-2015-5161,CVE-2015-5589,CVE-2015-5590,CVE-2015-6831,CVE-2015-6833,CVE-2015-6836,CVE-2015-6837,CVE-2015-6838,CVE-2015-7803,CVE-2015-8835,CVE-2015-8838,CVE-2015-8866,CVE-2015-8867,CVE-2015-8873,CVE-2015-8874,CVE-2015-8879,CVE-2016-2554,CVE-2016-3141,CVE-2016-3142,CVE-2016-3185,CVE-2016-4070,CVE-2016-4073,CVE-2016-4342,CVE-2016-4346,CVE-2016-4537,CVE-2016-4538,CVE-2016-4539,CVE-2016-4540,CVE-2016-4541,CVE-2016-4542,CVE-2016-4543,CVE-2016-4544,CVE-2016-5093,CVE-2016-5094,CVE-2016-5095,CVE-2016-5096,CVE-2016-5114 Sources used: SUSE Linux Enterprise Server 11-SP2-LTSS (src): php53-5.3.17-47.1