Bug 949961 (CVE-2015-7803) - VUL-1: CVE-2015-7803: php5,php53: Null pointer dereference in phar_get_fp_offset()
Summary: VUL-1: CVE-2015-7803: php5,php53: Null pointer dereference in phar_get_fp_off...
Status: RESOLVED FIXED
Alias: CVE-2015-7803
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/157566/
Whiteboard: CVSSv2:RedHat:CVE-2015-7803:4.3:(AV:N...
Keywords:
Depends on:
Blocks:
 
Reported: 2015-10-12 09:54 UTC by Andreas Stieger
Modified: 2016-08-01 08:43 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
testcase phar (8.00 KB, application/x-tar)
2015-10-12 13:16 UTC, Petr Gajdos 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2015-10-12 09:54:30 UTC 
https://bugs.php.net/bug.php?id=69720

Description:
------------
If a Tar entry has the Link indicator set and points to an nonexisting file, phar_get_link_source() returns a NULL value phar/util.c:69:

            if (SUCCESS == zend_hash_find(&(entry->phar->manifest), entry->link, strlen(entry->link), (void **)&link_entry) || 
                    SUCCESS == zend_hash_find(&(entry->phar->manifest), link, strlen(link), (void **)&link_entry)) {
					.......		
			}else {       
					.......                                                         
					return NULL;
			}

The NULL value gets passed into phar_get_fp_offset() at util.c:497:
		(*ret)->zero = phar_get_fp_offset(phar_get_link_source(entry TSRMLS_CC) TSRMLS_CC);


The NULL pointer dereference occurs in phar_internal.h:444 where entry is NULL :
		if (!entry->is_persistent) 

This causes PHP to seg fault.


Proof Of Concept:
./php readphar.php Null_ptr_deref_in_phar_get_fp_offset.tar.phar
Segmentation fault


POC can be found here: https://www.dropbox.com/s/6hks64dopgcco9f/POC_Null_ptr_deref_in_phar_get_fp_offset.zip?dl=0


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7803
http://seclists.org/oss-sec/2015/q4/58
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7803
Comment 1 Andreas Stieger 2015-10-12 12:34:13 UTC 
master commit:
2cacf5770daa13b0c498f48d1f7b20b6585a70bf

Backport commit: 
d698f0ae51f67c9cce870b09c59df3d6ba959244

Note the difference in the commits.

Fixed in tags:
php-5.5.30
php-7.0.0RC4
Comment 2 Petr Gajdos 2015-10-12 13:16:39 UTC 
Created attachment 651183 [details]
testcase phar
Comment 3 Petr Gajdos 2015-10-12 13:57:46 UTC 
# zypper in php5-phar
$ cat bug69720.php
<?php
try {
    // open an existing phar
    $p = new Phar(__DIR__."/bug69720.phar",0);
    // Phar extends SPL's DirectoryIterator class
	echo $p->getMetadata();
    foreach (new RecursiveIteratorIterator($p) as $file) {
        // $file is a PharFileInfo class, and inherits from SplFileInfo
	$temp="";
        $temp= $file->getFileName() . "\n";
        $temp.=file_get_contents($file->getPathName()) . "\n"; // display contents
	var_dump($file->getMetadata());
    }
}
 catch (Exception $e) {
    echo 'Could not open Phar: ', $e;
}
?>

BEFORE

$ php bug69720.php
MY_METADATA_NULL
Segmentation fault (core dumped)
$

AFTER

$ php bug69720.php
MY_METADATA_NULL
PHP Warning:  file_get_contents(phar:///949961/bug69720.phar/test.php): failed to open stream: phar error: "test.php" is not a file in phar "/949961/bug69720.phar" in /949961/bug69720.php on line 11
array(1) {
  ["whatever"]=>
  int(123)
}
object(DateTime)#2 (3) {
  ["date"]=>
  string(26) "2000-01-01 00:00:00.000000"
  ["timezone_type"]=>
  int(3)
  ["timezone"]=>
  string(3) "UTC"
}

$
Comment 7 Swamp Workflow Management 2015-10-12 22:00:45 UTC 
bugbot adjusting priority
Comment 8 Petr Gajdos 2016-01-18 12:39:58 UTC 
Submitted for sle12 (-> 42.1) and 13.2.

11sp3 and 13.1 remains.
Comment 10 Bernhard Wiedemann 2016-01-18 13:00:19 UTC 
This is an autogenerated message for OBS integration:
This bug (949961) was mentioned in
https://build.opensuse.org/request/show/354582 13.2 / php5
Comment 11 Swamp Workflow Management 2016-01-26 17:15:12 UTC 
openSUSE-SU-2016:0251-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 949961,949962,962057
CVE References: CVE-2015-7803,CVE-2015-7804,CVE-2016-1903
Sources used:
openSUSE 13.2 (src):    php5-5.6.1-39.1
Comment 13 Swamp Workflow Management 2016-01-29 15:13:27 UTC 
SUSE-SU-2016:0284-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 949961,962057
CVE References: CVE-2015-7803,CVE-2016-1903
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    php5-5.5.14-42.2
SUSE Linux Enterprise Software Development Kit 12 (src):    php5-5.5.14-42.2
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php5-5.5.14-42.2
Comment 14 Swamp Workflow Management 2016-02-07 19:13:59 UTC 
openSUSE-SU-2016:0366-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 949961,962057
CVE References: CVE-2015-7803,CVE-2016-1903
Sources used:
openSUSE Leap 42.1 (src):    php5-5.5.14-41.1
Comment 15 Petr Gajdos 2016-03-01 13:14:50 UTC 
Package submitted into 11sp3.
Comment 22 Swamp Workflow Management 2016-04-25 17:08:17 UTC 
SUSE-SU-2016:1145-1: An update that fixes 8 vulnerabilities is now available.

Category: security (important)
Bug References: 949961,968284,969821,971611,971612,971912,973351,973792
CVE References: CVE-2014-9767,CVE-2015-7803,CVE-2015-8835,CVE-2015-8838,CVE-2016-2554,CVE-2016-3141,CVE-2016-3142,CVE-2016-3185
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    php53-5.3.17-59.1
SUSE Linux Enterprise Server 11-SP4 (src):    php53-5.3.17-59.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    php53-5.3.17-59.1
Comment 23 Swamp Workflow Management 2016-06-14 18:08:08 UTC 
SUSE-SU-2016:1581-1: An update that fixes 31 vulnerabilities is now available.

Category: security (important)
Bug References: 949961,968284,969821,971611,971612,971912,973351,973792,976996,976997,977003,977005,977991,977994,978827,978828,978829,978830,980366,980373,980375,981050,982010,982011,982012,982013,982162
CVE References: CVE-2014-9767,CVE-2015-4116,CVE-2015-7803,CVE-2015-8835,CVE-2015-8838,CVE-2015-8866,CVE-2015-8867,CVE-2015-8873,CVE-2015-8874,CVE-2015-8879,CVE-2016-2554,CVE-2016-3141,CVE-2016-3142,CVE-2016-3185,CVE-2016-4070,CVE-2016-4073,CVE-2016-4342,CVE-2016-4346,CVE-2016-4537,CVE-2016-4538,CVE-2016-4539,CVE-2016-4540,CVE-2016-4541,CVE-2016-4542,CVE-2016-4543,CVE-2016-4544,CVE-2016-5093,CVE-2016-5094,CVE-2016-5095,CVE-2016-5096,CVE-2016-5114
Sources used:
SUSE OpenStack Cloud 5 (src):    php53-5.3.17-71.1
SUSE Manager Proxy 2.1 (src):    php53-5.3.17-71.1
SUSE Manager 2.1 (src):    php53-5.3.17-71.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    php53-5.3.17-71.1
SUSE Linux Enterprise Server 11-SP4 (src):    php53-5.3.17-71.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    php53-5.3.17-71.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    php53-5.3.17-71.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    php53-5.3.17-71.1
Comment 24 Swamp Workflow Management 2016-06-21 11:17:15 UTC 
SUSE-SU-2016:1638-1: An update that fixes 85 vulnerabilities is now available.

Category: security (important)
Bug References: 884986,884987,884989,884990,884991,884992,885961,886059,886060,893849,893853,902357,902360,902368,910659,914690,917150,918768,919080,921950,922451,922452,923945,924972,925109,928506,928511,931421,931769,931772,931776,933227,935074,935224,935226,935227,935229,935232,935234,935274,935275,938719,938721,942291,942296,945412,945428,949961,968284,969821,971611,971612,971912,973351,973792,976996,976997,977003,977005,977991,977994,978827,978828,978829,978830,980366,980373,980375,981050,982010,982011,982012,982013,982162
CVE References: CVE-2004-1019,CVE-2006-7243,CVE-2014-0207,CVE-2014-3478,CVE-2014-3479,CVE-2014-3480,CVE-2014-3487,CVE-2014-3515,CVE-2014-3597,CVE-2014-3668,CVE-2014-3669,CVE-2014-3670,CVE-2014-4049,CVE-2014-4670,CVE-2014-4698,CVE-2014-4721,CVE-2014-5459,CVE-2014-8142,CVE-2014-9652,CVE-2014-9705,CVE-2014-9709,CVE-2014-9767,CVE-2015-0231,CVE-2015-0232,CVE-2015-0273,CVE-2015-1352,CVE-2015-2301,CVE-2015-2305,CVE-2015-2783,CVE-2015-2787,CVE-2015-3152,CVE-2015-3329,CVE-2015-3411,CVE-2015-3412,CVE-2015-4021,CVE-2015-4022,CVE-2015-4024,CVE-2015-4026,CVE-2015-4116,CVE-2015-4148,CVE-2015-4598,CVE-2015-4599,CVE-2015-4600,CVE-2015-4601,CVE-2015-4602,CVE-2015-4603,CVE-2015-4643,CVE-2015-4644,CVE-2015-5161,CVE-2015-5589,CVE-2015-5590,CVE-2015-6831,CVE-2015-6833,CVE-2015-6836,CVE-2015-6837,CVE-2015-6838,CVE-2015-7803,CVE-2015-8835,CVE-2015-8838,CVE-2015-8866,CVE-2015-8867,CVE-2015-8873,CVE-2015-8874,CVE-2015-8879,CVE-2016-2554,CVE-2016-3141,CVE-2016-3142,CVE-2016-3185,CVE-2016-4070,CVE-2016-4073,CVE-2016-4342,CVE-2016-4346,CVE-2016-4537,CVE-2016-4538,CVE-2016-4539,CVE-2016-4540,CVE-2016-4541,CVE-2016-4542,CVE-2016-4543,CVE-2016-4544,CVE-2016-5093,CVE-2016-5094,CVE-2016-5095,CVE-2016-5096,CVE-2016-5114
Sources used:
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    php53-5.3.17-47.1
Comment 25 Marcus Meissner 2016-08-01 08:43:34 UTC 
all released