Bug 960178 (CVE-2015-8616) - VUL-0: CVE-2015-8616 php: Use after free vulnerability in Collator::sortWithSortKeys
Summary: VUL-0: CVE-2015-8616 php: Use after free vulnerability in Collator::sortWithS...
Status: RESOLVED INVALID
Alias: CVE-2015-8616
Product: openSUSE.org
Classification: openSUSE
Component: 3rd party software (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal (vote)
Target Milestone: ---
Assignee: Petr Gajdos
QA Contact: E-mail List
URL: https://smash.suse.de/issue/160030/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-12-23 15:47 UTC by Andreas Stieger
Modified: 2015-12-28 10:34 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2015-12-23 15:47:17 UTC 
A use-after-free vulnerability was found in Collator::sortWithSortKeys, that can be potentially remotely exploitable if the sorting function is called on a user supplied array. Only php 7 is affected.

Upstream bug (contains reproducer resulting into null dereference):

https://bugs.php.net/bug.php?id=71020

CVE assignment:

http://seclists.org/oss-sec/2015/q4/561


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1293876
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8616
http://seclists.org/oss-sec/2015/q4/561
https://github.com/php/php-src/commit/b101a6bbd4f2181c360bd38e7683df4a03cba83e
https://bugs.php.net/bug.php?id=71105
Comment 1 Andreas Stieger 2015-12-23 15:47:45 UTC 
devel:languages:php:php7/php7 only
Comment 2 Swamp Workflow Management 2015-12-23 23:00:26 UTC 
bugbot adjusting priority
Comment 3 Petr Gajdos 2015-12-28 10:34:54 UTC 
Bug was introduced by
https://github.com/php/php-src/commit/4fbaddb4f8b041769bea7efdd12313641387bd14
i. e. bethween 7.0.1 and 7.0.2. This refactoring have not happened elsewhere than in php7, we are not affected.