Bug 931769 (CVE-2015-4021) - VUL-0: CVE-2015-4021: php5, php53: memory corruption in phar_parse_tarfile when entry filename starts with NULL
Summary: VUL-0: CVE-2015-4021: php5, php53: memory corruption in phar_parse_tarfile wh...
Status: RESOLVED FIXED
Alias: CVE-2015-4021
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/116949/
Whiteboard: maint:running:61384:moderate maint:re...
Keywords:
Depends on:
Blocks:
 
Reported: 2015-05-21 06:54 UTC by Alexander Bergmann
Modified: 2016-08-08 14:26 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
testcase archive (8.00 KB, application/x-tar)
2015-05-22 08:14 UTC, Petr Gajdos 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2015-05-21 06:54:37 UTC 
https://bugs.php.net/bug.php?id=69453

------------------------------------------------
This is a single byte memory corruption vulnerability. It is triggered when a tar entry->filename starts with a null byte.

At tar.c:430 entry.filename_len will be set to zero.
if (hdr->name[i] == '\0') {
break;
}
entry.filename_len = i;

This will result in an underflow in the array index at tar.437 :
if (entry.filename[entry.filename_len - 1] == '/') {
entry.filename[entry.filename_len - 1] = '\0';
entry.filename_len--;
}

Since entry.filename is pointing to a heap chunk (zend_mm_block), on a x86 machine, it has the potential to corrupt the heap chunk metadata.

on x64 machine, it has the potential to corrupt 1 byte at the offset entry.filename+0xFFFFFFFF

Test script:
---------------
POC here:
https://www.dropbox.com/s/dg8uit7533e8q8l/POC_1byte_corruption.zip?dl=0

$ ./php POC_FileName_Nullbyte_crash.php

Segmentation fault
------------------------------------------------

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1223425
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4021
http://seclists.org/oss-sec/2015/q2/505
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4021
Comment 1 Swamp Workflow Management 2015-05-21 22:00:15 UTC 
bugbot adjusting priority
Comment 2 Petr Gajdos 2015-05-22 08:14:04 UTC 
Created attachment 635157 [details]
testcase archive
Comment 3 Petr Gajdos 2015-05-22 08:27:05 UTC 
QA

$ zypper in php5 php5-phar
$ cat test.php
<?php
$fname = dirname(__FILE__) . '/test.tar.phar';
try {
$r = new Phar($fname, 0);
} catch(UnexpectedValueException $e) {
	echo $e;
}
?>

BEFORE:
$ php test.php
Segmentation fault
$

AFTER:
$ php test.php
exception 'UnexpectedValueException' with message 'phar error: "/931769/test.tar.phar" is a corrupted tar file (checksum mismatch of file "")' in /931769/test.php:4
Stack trace:
#0 /931769/test.php(4): Phar->__construct('/931769/test.ta...', 0)
#1 {main}
$
Comment 4 Petr Gajdos 2015-05-22 08:28:38 UTC 
affected: 11sp3..13.2
Comment 5 Petr Gajdos 2015-05-22 10:29:38 UTC 
(even if we do not ship php53-phar, I will submit for the case it will be added)
Comment 6 Petr Gajdos 2015-05-22 10:33:29 UTC 
openSUSE: mr#308354
12:       mr#58172
11sp3:    sr#58174
Comment 8 Swamp Workflow Management 2015-06-03 15:05:46 UTC 
openSUSE-SU-2015:0993-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 931421,931769,931772,931776
CVE References: CVE-2015-4021,CVE-2015-4022,CVE-2015-4024,CVE-2015-4026
Sources used:
openSUSE 13.2 (src):    php5-5.6.1-24.2
openSUSE 13.1 (src):    php5-5.4.20-55.2
Comment 11 Swamp Workflow Management 2015-06-09 12:06:52 UTC 
SUSE-SU-2015:1018-1: An update that solves 11 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 922022,922451,922452,923946,924972,925109,928506,928511,931421,931769,931772,931776
CVE References: CVE-2014-9705,CVE-2014-9709,CVE-2015-2301,CVE-2015-2305,CVE-2015-2783,CVE-2015-2787,CVE-2015-3329,CVE-2015-4021,CVE-2015-4022,CVE-2015-4024,CVE-2015-4026
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    php53-5.3.17-0.41.1
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    php53-5.3.17-0.41.1
SUSE Linux Enterprise Server 11 SP3 (src):    php53-5.3.17-0.41.1
Comment 13 Swamp Workflow Management 2015-07-17 08:12:38 UTC 
SUSE-SU-2015:1253-1: An update that fixes 15 vulnerabilities is now available.

Category: security (important)
Bug References: 919080,927147,931421,931769,931772,931776,933227,935224,935226,935227,935232,935234,935274,935275
CVE References: CVE-2015-3411,CVE-2015-3412,CVE-2015-4021,CVE-2015-4022,CVE-2015-4024,CVE-2015-4026,CVE-2015-4148,CVE-2015-4598,CVE-2015-4599,CVE-2015-4600,CVE-2015-4601,CVE-2015-4602,CVE-2015-4603,CVE-2015-4643,CVE-2015-4644
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    php5-5.5.14-30.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php5-5.5.14-30.1
Comment 14 Swamp Workflow Management 2015-07-17 09:08:32 UTC 
SUSE-SU-2015:1253-2: An update that fixes 15 vulnerabilities is now available.

Category: security (important)
Bug References: 919080,927147,931421,931769,931772,931776,933227,935224,935226,935227,935232,935234,935274,935275
CVE References: CVE-2015-3411,CVE-2015-3412,CVE-2015-4021,CVE-2015-4022,CVE-2015-4024,CVE-2015-4026,CVE-2015-4148,CVE-2015-4598,CVE-2015-4599,CVE-2015-4600,CVE-2015-4601,CVE-2015-4602,CVE-2015-4603,CVE-2015-4643,CVE-2015-4644
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php5-5.5.14-30.1
Comment 15 Marcus Meissner 2015-09-10 15:19:31 UTC 
released
Comment 16 Swamp Workflow Management 2016-06-21 11:14:13 UTC 
SUSE-SU-2016:1638-1: An update that fixes 85 vulnerabilities is now available.

Category: security (important)
Bug References: 884986,884987,884989,884990,884991,884992,885961,886059,886060,893849,893853,902357,902360,902368,910659,914690,917150,918768,919080,921950,922451,922452,923945,924972,925109,928506,928511,931421,931769,931772,931776,933227,935074,935224,935226,935227,935229,935232,935234,935274,935275,938719,938721,942291,942296,945412,945428,949961,968284,969821,971611,971612,971912,973351,973792,976996,976997,977003,977005,977991,977994,978827,978828,978829,978830,980366,980373,980375,981050,982010,982011,982012,982013,982162
CVE References: CVE-2004-1019,CVE-2006-7243,CVE-2014-0207,CVE-2014-3478,CVE-2014-3479,CVE-2014-3480,CVE-2014-3487,CVE-2014-3515,CVE-2014-3597,CVE-2014-3668,CVE-2014-3669,CVE-2014-3670,CVE-2014-4049,CVE-2014-4670,CVE-2014-4698,CVE-2014-4721,CVE-2014-5459,CVE-2014-8142,CVE-2014-9652,CVE-2014-9705,CVE-2014-9709,CVE-2014-9767,CVE-2015-0231,CVE-2015-0232,CVE-2015-0273,CVE-2015-1352,CVE-2015-2301,CVE-2015-2305,CVE-2015-2783,CVE-2015-2787,CVE-2015-3152,CVE-2015-3329,CVE-2015-3411,CVE-2015-3412,CVE-2015-4021,CVE-2015-4022,CVE-2015-4024,CVE-2015-4026,CVE-2015-4116,CVE-2015-4148,CVE-2015-4598,CVE-2015-4599,CVE-2015-4600,CVE-2015-4601,CVE-2015-4602,CVE-2015-4603,CVE-2015-4643,CVE-2015-4644,CVE-2015-5161,CVE-2015-5589,CVE-2015-5590,CVE-2015-6831,CVE-2015-6833,CVE-2015-6836,CVE-2015-6837,CVE-2015-6838,CVE-2015-7803,CVE-2015-8835,CVE-2015-8838,CVE-2015-8866,CVE-2015-8867,CVE-2015-8873,CVE-2015-8874,CVE-2015-8879,CVE-2016-2554,CVE-2016-3141,CVE-2016-3142,CVE-2016-3185,CVE-2016-4070,CVE-2016-4073,CVE-2016-4342,CVE-2016-4346,CVE-2016-4537,CVE-2016-4538,CVE-2016-4539,CVE-2016-4540,CVE-2016-4541,CVE-2016-4542,CVE-2016-4543,CVE-2016-4544,CVE-2016-5093,CVE-2016-5094,CVE-2016-5095,CVE-2016-5096,CVE-2016-5114
Sources used:
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    php53-5.3.17-47.1