945403 – (CVE-2015-6834) VUL-0: CVE-2015-6834: php5, php53: Use After Free Vulnerability in unserialize()

Bug 945403 (CVE-2015-6834) - VUL-0: CVE-2015-6834: php5, php53: Use After Free Vulnerability in unserialize()

Summary: VUL-0: CVE-2015-6834: php5, php53: Use After Free Vulnerability in unserialize()

Status:	RESOLVED FIXED

Alias:	CVE-2015-6834

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/156392/
Whiteboard:	CVSSv2:NVD:CVE-2015-6834:7.5:(AV:N/A...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2015-09-11 07:11 UTC by Victor Pereira
Modified:	2018-10-19 18:39 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
testcase (676 bytes, text/x-delimtext) 2015-09-14 08:08 UTC, Petr Gajdos	Details
testcase (644 bytes, text/x-delimtext) 2015-09-14 08:08 UTC, Petr Gajdos	Details
testcase (631 bytes, text/x-delimtext) 2015-09-14 08:09 UTC, Petr Gajdos	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Victor Pereira 2015-09-11 07:11:06 UTC

rh#1260642

Use after free vulnerability was found in unserialize() function. We can create ZVAL and free it via Serializable::unserialize. However the unserialize() will still allow to use R: or r: to set references to that already freed memory. It is possible to use-after-free attack and execute arbitrary code remotely.

Upstream bugs:

https://bugs.php.net/bug.php?id=70172
https://bugs.php.net/bug.php?id=70366
https://bugs.php.net/bug.php?id=70365

Upstream patches:

http://git.php.net/?p=php-src.git;a=commit;h=e8429400d40e3c3aa4b22ba701991d698a2f3b2f

http://git.php.net/?p=php-src.git;a=commit;h=259057b2a484747a6c73ce54c4fa0f5acbd56179

http://git.php.net/?p=php-src.git;a=commit;h=f06a069c462d37c2e009f6d1d93b8c8e7b713393


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1260642
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6834
http://seclists.org/oss-sec/2015/q3/524
http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-6834.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6834

Comment 1 Swamp Workflow Management 2015-09-11 22:00:25 UTC

bugbot adjusting priority

Comment 2 Petr Gajdos 2015-09-14 08:08:14 UTC

Created attachment 647108 [details]
testcase

Comment 3 Petr Gajdos 2015-09-14 08:08:49 UTC

Created attachment 647109 [details]
testcase

Comment 4 Petr Gajdos 2015-09-14 08:09:45 UTC

Created attachment 647110 [details]
testcase

Comment 12 Swamp Workflow Management 2015-09-25 09:11:08 UTC

openSUSE-SU-2015:1628-1: An update that solves 8 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 942291,942293,942294,942295,942296,945402,945403,945412,945428
CVE References: CVE-2015-6831,CVE-2015-6832,CVE-2015-6833,CVE-2015-6834,CVE-2015-6835,CVE-2015-6836,CVE-2015-6837,CVE-2015-6838
Sources used:
openSUSE 13.2 (src):    php5-5.6.1-36.1
openSUSE 13.1 (src):    php5-5.4.20-67.1

Comment 13 Swamp Workflow Management 2015-09-25 13:11:42 UTC

SUSE-SU-2015:1633-1: An update that solves 8 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 935074,942291,942293,942294,942295,942296,944302,945402,945403,945412,945428
CVE References: CVE-2015-6831,CVE-2015-6832,CVE-2015-6833,CVE-2015-6834,CVE-2015-6835,CVE-2015-6836,CVE-2015-6837,CVE-2015-6838
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    php5-5.5.14-36.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php5-5.5.14-36.1

Comment 14 Marcus Meissner 2015-09-25 14:07:13 UTC

done