Bugzilla – Bug 922894
VUL-1: CVE-2015-2331: php5: php53: ZIP Integer Overflow leads to writing past heap boundary
Last modified: 2020-05-18 11:54:31 UTC
via oss-sec From: Emmanuel Law <emmanuel.law@gmail.com> Subject: [oss-security] CVE Request: ZIP Integer Overflow leads to writing past heap boundary Hi, found an integer overflow in PHP. When processing a malform zip file with many entires, it leads to a heap overflow. Affected Version <= PHP 5.6.6 Bug Report: https://bugs.php.net/bug.php?id=69253 Patch: https://github.com/php/php-src/commit/ef8fc4b53d92fbfcd8ef1abbd6f2f5fe2c4a11e5 Could you please assign a CVE-ID for it? Thanks, Emmanuel
bugbot adjusting priority
CVE-2015-2331 was assigned to this issue, as far as I can see.
I can reproduce the segfault on live system, 5.6.6: 1. install php5-zip rpm 2. $ cat test.php <?php $path = $argv[1]; $zip = new ZipArchive; if ($zip->open($path) === true) { echo "OPEN!"; } $zip->close(); ?> $ BEFORE: $ php test.php fuzz.zip Segmentation fault $ AFTER: $ php test.php fuzz.zip PHP Warning: ZipArchive::close(): Invalid or uninitialized Zip object in /922894/test.php on line 10 $
.. and on chroot too. I can't reproduce the segfault with this particular testcase for 5.5 and lower.
The backtrace looks like: For 5.6: #0 _zip_cdir_new (nentry=3458764513820540928, error=0x7fffffffa970) at /usr/src/debug/php-5.6.6/ext/zip/lib/zip_dirent.c:113 #1 0x00007ffff60b1230 in _zip_read_eocd64 (f=0xd1fa60, eocd64loc=0xd1fcd8 "PK\006\a0000", buf=0xd1fca0 "PK\006\006", '\060' <repeats 20 times>, buf_offset=0, buflen=98, flags=0, error=0x7fffffffa970) at /usr/src/debug/php-5.6.6/ext/zip/lib/zip_open.c:734 In zip_open.c, there is: 661 zip_uint64_t size, nentry, i; ... 714 nentry = _zip_read8(&cdp); ... 734 if ((cd=_zip_cdir_new(nentry, error)) == NULL) 735 return NULL; _zip_read8() is unsigned long. On the contrary, for 5.5 (and perhaps less, need to check) we have: #0 _zip_cdir_new (nentry=12336, error=0x7fffffff9970) at /usr/src/debug/php-5.5.14/ext/zip/lib/zip_dirent.c:99 #1 0x00007ffff5eb177c in _zip_readcdir (fp=0xd33460, buf_offset=0, buf=0xd336b0 "PK\006\006", '\060' <repeats 20 times>, eocd=0xd336fc "PK\005\006", buflen=98, flags=0, error=0x7fffffff9970) at /usr/src/debug/php-5.5.14/ext/zip/lib/zip_open.c:201 [...] In zip_open.c, there is: 174 int i, comlen, nentry; ... 199 nentry = _zip_read2(&cdp); 200 201 if ((cd=_zip_cdir_new(nentry, error)) == NULL) 202 return NULL; where _zip_read2 is unsigned short, so if I understand correctly malloc() in question gets (size_t)(sizeof(*(cd->entry))*nentry) is 88*65535 = 5767080 at most. Am I correct?
Adding zip maintainer to cc.
Uff, removing maintainer of zip and adding maintainer of libzip to cc :-D.
For factory, I would build against system libzip.
This is an autogenerated message for OBS integration: This bug (922894) was mentioned in https://build.opensuse.org/request/show/291691 Factory / php5
i thinmk the question for me is answered
This is an autogenerated message for OBS integration: This bug (922894) was mentioned in https://build.opensuse.org/request/show/292664 Factory / php5
Please review my submit requests.
openSUSE-SU-2015:0644-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 922022,922451,922452,922894,923946 CVE References: CVE-2014-9705,CVE-2014-9709,CVE-2015-2301,CVE-2015-2305,CVE-2015-2331 Sources used: openSUSE 13.2 (src): php5-5.6.1-15.1 openSUSE 13.1 (src): php5-5.4.20-45.1
possibly more embedded copies of libzip: http://lists.opensuse.org/opensuse-factory/2015-08/msg00550.html libexempi*.so* libquazip*.so* libzip*.so* 7z.so libexempi.so.3.2.4 libzip.so.4.0.0 7z.so.001 libexempi.so.3.2.4.001 libzip.so.4.0.0.001 7za libquazip.so.1.0.0 zip 7za.001 libquazip.so.1.0.0.001 zip.001
done i think then.