Bugzilla – Bug 918768
VUL-0: CVE-2015-0273: php5: Use after free vulnerability in unserialize() with DateTimeZone
Last modified: 2016-06-21 11:12:15 UTC
From http://php.net/ChangeLog-5.php#5.6.6 From https://bugs.php.net/bug.php?id=68942 Use after free vulnerability in php_date_timezone_initialize_from_hash() The convert_to_long() leads to the ZVAL and all its children is freed from memory. However the unserialize() code will still allow to use R: or r: to set references to that already freed memory. There is a use after free vulnerability, and allows to execute arbitrary code. Reproducer 1: The following PHP code should leak arbitrary memory: <?php $fakezval = pack( 'IIII', 0x00100000, 0x00000400, 0x00000000, 0x00000006 ); $data = unserialize('a:2:{i:0;O:12:"DateTimeZone":2:{s:13:"timezone_type";a:2:{i:0;i:1;i:1;i:2;}s:8:"timezone";s:1:"A";}i:1;R:4;}'); for($i = 0; $i < 5; $i++) { $v[$i] = $fakezval.$i; } var_dump($data); ?> Reproducer 2: Z_STRVAL_PP leads to various problems. The following code should crash PHP: <?php $data = unserialize('O:12:"DateTimeZone":2:{s:13:"timezone_type";i:1;s:8:"timezone";i:1;}'); ?> patch-master https://bugs.php.net/patch-display.php?bug_id=68942&patch=patch-master&revision=latest patch-5.5 https://bugs.php.net/patch-display.php?bug_id=68942&patch=patch-5.5&revision=latest patch-5.4 https://bugs.php.net/patch-display.php?bug_id=68942&patch=patch-5.4&revision=latest
On 13.2, reprocucer 1 does nothing. Reproducer 2 segfaults.
bugbot adjusting priority
As far as I understand, CVE-2015-0273 is assigned to 'Use after free vulnerability', so Reproducer 2 do not play a role here. I will use testcase from commit patch set: http://git.php.net/?p=php-src.git;a=blob_plain;f=ext/date/tests/bug68942.phpt;hb=HEAD
No, this one: http://git.php.net/?p=php-src.git;a=blob_plain;f=ext/date/tests/bug68942_2.phpt;hb=HEAD It shouldn't matter; just that I started with this one.
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2015-03-03. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/60773
Summary for QA: First testcase should result in PHP Fatal error: Invalid serialization data for DateTime object in /918768/test1.php on line and second testcase should not segfault php.
Actually, the patch with name CVE-2015-0273 I am going to submit is fixing more than "CVE-2015-0273: php5: Use after free vulnerability in unserialize() with DateTimeZone". To my present knowledge, use after free in DateTimeZone would happen only for 5.5 and 5.6. The same issue happens also for DateTime object. More over -- again only for 5.5 and 5.6 --, there is a segfault exposed by Reproducer 2 which, as I believe, do not belong under description of the bug.
(In reply to Petr Gajdos from comment #21) > segfault exposed by Reproducer 2 which, as I believe, do not belong under *fixed a segfault*
Packages submitted: openSUSE: mr#287863 12: mr#52276 11sp3: sr#52278
I need some advise on the test results from the running maintenance update for 11-SP3 (SWAMP 60827) for the various test cases linked in this bug report. test case origin before the update after the update comment #0 tc1 0 warnings from valgrind 0 warnings from valgrind comment #0 tc2 0 warnings from valgrind 0 warnings from valgrind comment #14 12 errors from 11 contexts 0 errors from 0 contexts comment #24 12 errors from 11 contexts 12 errors from 11 contexts Looks fixed to me, as long as the defect referenced in comment#24 of this bug report is another issue.
The test results for the related update for SLE12 (SUSE:Maintenance:442:52584) look a bit different: test case origin before the update after the update comment #0 tc1 12 errors from 11 contexts 0 warnings from valgrind comment #0 tc2 1 errors from 1 contexts 0 warnings from valgrind comment #14 12 errors from 11 contexts 0 errors from 0 contexts comment #24 12 errors from 11 contexts 12 errors from 11 contexts In the end, it comes down to the same question on comment#24 ...
(In reply to Heiko Rommel from comment #28) > comment #24 12 errors from 11 contexts 12 errors from 11 contexts > > In the end, it comes down to the same question on comment#24 ... Yep, expected. This is just another bug that will probably get another CVE as this is not fixed even in latest released php versions. I wanted to point out to security team to let them decide if they want to include it in upcomming update or not.
SUSE-SU-2015:0424-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 917150,918768 CVE References: CVE-2014-9652,CVE-2015-0273 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): php5-5.5.14-15.1 SUSE Linux Enterprise Module for Web Scripting 12 (src): php5-5.5.14-15.1
PHP 5.2 and 5.1 are not affected, so older php5 on sle11 are not affected.
SUSE-SU-2015:0436-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 917150,918768 CVE References: CVE-2013-6501,CVE-2014-9652 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): php53-5.3.17-0.35.2 SUSE Linux Enterprise Server 11 SP3 for VMware (src): php53-5.3.17-0.35.2 SUSE Linux Enterprise Server 11 SP3 (src): php53-5.3.17-0.35.2
openSUSE-SU-2015:0440-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 917150,918768 CVE References: CVE-2014-9652,CVE-2015-0273 Sources used: openSUSE 13.2 (src): php5-5.6.1-12.1 openSUSE 13.1 (src): php5-5.4.20-42.1
SUSE-SU-2016:1638-1: An update that fixes 85 vulnerabilities is now available. Category: security (important) Bug References: 884986,884987,884989,884990,884991,884992,885961,886059,886060,893849,893853,902357,902360,902368,910659,914690,917150,918768,919080,921950,922451,922452,923945,924972,925109,928506,928511,931421,931769,931772,931776,933227,935074,935224,935226,935227,935229,935232,935234,935274,935275,938719,938721,942291,942296,945412,945428,949961,968284,969821,971611,971612,971912,973351,973792,976996,976997,977003,977005,977991,977994,978827,978828,978829,978830,980366,980373,980375,981050,982010,982011,982012,982013,982162 CVE References: CVE-2004-1019,CVE-2006-7243,CVE-2014-0207,CVE-2014-3478,CVE-2014-3479,CVE-2014-3480,CVE-2014-3487,CVE-2014-3515,CVE-2014-3597,CVE-2014-3668,CVE-2014-3669,CVE-2014-3670,CVE-2014-4049,CVE-2014-4670,CVE-2014-4698,CVE-2014-4721,CVE-2014-5459,CVE-2014-8142,CVE-2014-9652,CVE-2014-9705,CVE-2014-9709,CVE-2014-9767,CVE-2015-0231,CVE-2015-0232,CVE-2015-0273,CVE-2015-1352,CVE-2015-2301,CVE-2015-2305,CVE-2015-2783,CVE-2015-2787,CVE-2015-3152,CVE-2015-3329,CVE-2015-3411,CVE-2015-3412,CVE-2015-4021,CVE-2015-4022,CVE-2015-4024,CVE-2015-4026,CVE-2015-4116,CVE-2015-4148,CVE-2015-4598,CVE-2015-4599,CVE-2015-4600,CVE-2015-4601,CVE-2015-4602,CVE-2015-4603,CVE-2015-4643,CVE-2015-4644,CVE-2015-5161,CVE-2015-5589,CVE-2015-5590,CVE-2015-6831,CVE-2015-6833,CVE-2015-6836,CVE-2015-6837,CVE-2015-6838,CVE-2015-7803,CVE-2015-8835,CVE-2015-8838,CVE-2015-8866,CVE-2015-8867,CVE-2015-8873,CVE-2015-8874,CVE-2015-8879,CVE-2016-2554,CVE-2016-3141,CVE-2016-3142,CVE-2016-3185,CVE-2016-4070,CVE-2016-4073,CVE-2016-4342,CVE-2016-4346,CVE-2016-4537,CVE-2016-4538,CVE-2016-4539,CVE-2016-4540,CVE-2016-4541,CVE-2016-4542,CVE-2016-4543,CVE-2016-4544,CVE-2016-5093,CVE-2016-5094,CVE-2016-5095,CVE-2016-5096,CVE-2016-5114 Sources used: SUSE Linux Enterprise Server 11-SP2-LTSS (src): php53-5.3.17-47.1