Bugzilla – Bug 911664
VUL-0: CVE-2014-9427: php5: sapi/cgi/cgi_main.c in the CGI component in PHP
Last modified: 2020-05-18 11:54:25 UTC
CVE-2014-9427 sapi/cgi/cgi_main.c in the CGI component in PHP through 5.4.36, 5.5.x through 5.5.20, and 5.6.x through 5.6.4, when mmap is used to read a .php file, does not properly consider the mapping's length during processing of an invalid file that begins with a # character and lacks a newline character, which causes an out-of-bounds read and might (1) allow remote attackers to obtain sensitive information from php-cgi process memory by leveraging the ability to upload a .php file or (2) trigger unexpected code execution if a valid PHP script is present in memory locations adjacent to the mapping. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9427 https://bugs.php.net/bug.php?id=68618 http://openwall.com/lists/oss-security/2015/01/01/1 http://openwall.com/lists/oss-security/2014/12/31/6 http://git.php.net/?p=php-src.git;a=commit;h=f9ad3086693fce680fbe246e4a45aa92edd2ac35
Reproduced via $ printf "#" >crashme.php $ valgrind php-cgi crashme.php ==20659== Memcheck, a memory error detector ==20659== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. ==20659== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info ==20659== Command: php-cgi crashme.php ==20659== ==20659== Invalid read of size 1 ==20659== at 0x57536C: main (cgi_main.c:2439) ==20659== Address 0x4023000 is not stack'd, malloc'd or (recently) free'd ==20659== ==20659== ==20659== Process terminating with default action of signal 11 (SIGSEGV) ==20659== Access not within mapped region at address 0x4023000 ==20659== at 0x57536C: main (cgi_main.c:2439) $
Reproduced on 13.1 (5.4.20), 13.2 (5.6.1), factory (5.6.4) and sle12 (5.5.14). Nowhere else.
(In reply to Victor Pereira from comment #0) > http://git.php.net/?p=php-src.git;a=commit; > h=f9ad3086693fce680fbe246e4a45aa92edd2ac35 This fixes the problem for me. Commited to factory.
This is an autogenerated message for OBS integration: This bug (911664) was mentioned in https://build.opensuse.org/request/show/279961 Factory / php5
bugbot adjusting priority
Packages submitted.
openSUSE-SU-2015:0325-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 907519,910659,911663,911664,914690 CVE References: CVE-2014-8142,CVE-2014-9426,CVE-2014-9427,CVE-2015-0231,CVE-2015-0232 Sources used: openSUSE 13.2 (src): php5-5.6.1-8.1 openSUSE 13.1 (src): php5-5.4.20-38.1
SUSE-SU-2015:0365-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 907519,910659,911664,914690 CVE References: CVE-2014-8142,CVE-2014-9427,CVE-2015-0231,CVE-2015-0232 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): php5-5.5.14-11.3 SUSE Linux Enterprise Module for Web Scripting 12 (src): php5-5.5.14-11.3
all updates released