Bug 945402 (CVE-2015-6835) - VUL-0: CVE-2015-6835: php5 , php53: Use after free vulnerability in session deserializer
Summary: VUL-0: CVE-2015-6835: php5 , php53: Use after free vulnerability in session d...
Status: RESOLVED FIXED
Alias: CVE-2015-6835
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/156460/
Whiteboard: CVSSv2:NVD:CVE-2015-6835:7.5:(AV:N/A...
Keywords:
Depends on:
Blocks:
 
Reported: 2015-09-11 07:08 UTC by Victor Pereira
Modified: 2018-10-19 18:38 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
testcase (447 bytes, application/x-php)
2015-09-15 08:33 UTC, Petr Gajdos 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2015-09-11 07:08:57 UTC 
rh#1260647

A use-after-free vulnerability was found in session deserializer. When session deserializer (php/php_binary) is deserializing multiple data, it will call php_var_unserialize() multiple times. We can create ZVAL and free it via the php_var_unserialize() with a crafted serialized string. Then the next call php_var_unserialize() will still allow to use R: or r: to set references to that already freed memory. It is possible to use-after-free attack and execute arbitrary code remotely.


References:
http://git.php.net/?p=php-src.git;a=commit;h=df4bf28f9f104ca3ef78ed94b497859f15b004e5
https://bugs.php.net/bug.php?id=70219
https://bugzilla.redhat.com/show_bug.cgi?id=1260647
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6835
http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-6835.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6835
Comment 1 Swamp Workflow Management 2015-09-11 22:00:15 UTC 
bugbot adjusting priority
Comment 2 Petr Gajdos 2015-09-15 08:33:59 UTC 
Created attachment 647263 [details]
testcase
Comment 8 Swamp Workflow Management 2015-09-25 09:10:58 UTC 
openSUSE-SU-2015:1628-1: An update that solves 8 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 942291,942293,942294,942295,942296,945402,945403,945412,945428
CVE References: CVE-2015-6831,CVE-2015-6832,CVE-2015-6833,CVE-2015-6834,CVE-2015-6835,CVE-2015-6836,CVE-2015-6837,CVE-2015-6838
Sources used:
openSUSE 13.2 (src):    php5-5.6.1-36.1
openSUSE 13.1 (src):    php5-5.4.20-67.1
Comment 9 Swamp Workflow Management 2015-09-25 13:11:32 UTC 
SUSE-SU-2015:1633-1: An update that solves 8 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 935074,942291,942293,942294,942295,942296,944302,945402,945403,945412,945428
CVE References: CVE-2015-6831,CVE-2015-6832,CVE-2015-6833,CVE-2015-6834,CVE-2015-6835,CVE-2015-6836,CVE-2015-6837,CVE-2015-6838
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    php5-5.5.14-36.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php5-5.5.14-36.1
Comment 10 Marcus Meissner 2015-09-25 14:07:24 UTC 
done