Bugzilla – Bug 973351
VUL-0: CVE-2015-8835: php5,php53: SoapClient s __call method suffers from type confusion issue
Last modified: 2016-08-01 09:02:02 UTC
CVE-2015-8835 http://seclists.org/oss-sec/2016/q1/695 Missing check if returned value is really a string. Upstream bug: https://bugs.php.net/bug.php?id=70081 Upstream fix: https://git.php.net/?p=php-src.git;a=commitdiff;h=c96d08b27226193dd51f2b50e84272235c6aaa69
bugbot adjusting priority
(In reply to Johannes Segitz from comment #0) > CVE-2015-8835 > https://git.php.net/?p=php-src.git;a=commitdiff; > h=c96d08b27226193dd51f2b50e84272235c6aaa69 So if I understand correctly, second part of the relevant hunk is bound to CVE-2016-3185 (bug 971611 comment 2).
Packages submitted.
This is an autogenerated message for OBS integration: This bug (973351) was mentioned in https://build.opensuse.org/request/show/382845 13.2 / php5
This is an autogenerated message for OBS integration: This bug (973351) was mentioned in https://build.opensuse.org/request/show/384375 13.2 / php5
This is an autogenerated message for OBS integration: This bug (973351) was mentioned in https://build.opensuse.org/request/show/385728 13.2 / php5
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2016-04-15. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62611
For SLES12-SP0: # rpm -q php5 php5-5.5.14-51.1.x86_64 ---> Maintenance candidate for release Using the reproducer from: https://bugs.php.net/bug.php?id=70081 hellblazer:/tmp/kostas # gdb php GNU gdb (GDB; SUSE Linux Enterprise 12) 7.9.1 Copyright (C) 2015 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-suse-linux". Type "show configuration" for configuration details. For bug reporting instructions, please see: <http://bugs.opensuse.org/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from php...(no debugging symbols found)...done. Missing separate debuginfos, use: zypper install php5-debuginfo-5.5.14-51.1.x86_64 (gdb) r poc1.php Starting program: /usr/bin/php poc1.php [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. 0x0000555555b7b8f5 in zend_hash_get_current_key_ex () (gdb) r poc2.php The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /usr/bin/php poc2.php [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". PHP Fatal error: Uncaught SoapFault exception: [HTTP] Not Found in /tmp/kostas/poc2.php:6 Stack trace: #0 [internal function]: SoapClient->__doRequest('<?xml version="...', 'http://pwn.bado...', 'a#notexisting', 1, 0) #1 /tmp/kostas/poc2.php(6): SoapClient->__call('notexisting', Array) #2 /tmp/kostas/poc2.php(6): SoapClient->notexisting() #3 {main} thrown in /tmp/kostas/poc2.php on line 6 [Inferior 1 (process 3159) exited with code 0377] (gdb) q So Not fixed with submission: SUSE:Maintenance:2112:107692
The hellblazer host is sle12-sp1. not sle12-sp0 as I said in comment #12. Sorry for the confusion :)
(In reply to Konstantinos Tsamis from comment #12) > (gdb) r poc1.php > Starting program: /usr/bin/php poc1.php > [Thread debugging using libthread_db enabled] > Using host libthread_db library "/lib64/libthread_db.so.1". > > Program received signal SIGSEGV, Segmentation fault. Agreed, the fix looks like not to be complete. With 5.6.20 on Tubleweed I get: $ php poc1.php PHP Fatal error: Uncaught SoapFault exception: [HTTP] Not Found in /home/pgajdos/work/php5/973351/poc2.php:6 Stack trace: #0 [internal function]: SoapClient->__doRequest('<?xml version="...', 'http://pwn.bado...', 'a#notexisting', 1, 0) #1 /home/pgajdos/work/php5/973351/poc2.php(6): SoapClient->__call('notexisting', Array) #2 /home/pgajdos/work/php5/973351/poc2.php(6): SoapClient->notexisting() #3 {main} thrown in /home/pgajdos/work/php5/973351/poc2.php on line 6 $ With 5.6.1 on 13.2 (incl. CVE-2015-8835.patch) I really get the segfault, still: $ php poc1.php Segmentation fault (core dumped) $
Packages submitted again.
This is an autogenerated message for OBS integration: This bug (973351) was mentioned in https://build.opensuse.org/request/show/389948 13.2 / php5
SUSE-SU-2016:1145-1: An update that fixes 8 vulnerabilities is now available. Category: security (important) Bug References: 949961,968284,969821,971611,971612,971912,973351,973792 CVE References: CVE-2014-9767,CVE-2015-7803,CVE-2015-8835,CVE-2015-8838,CVE-2016-2554,CVE-2016-3141,CVE-2016-3142,CVE-2016-3185 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): php53-5.3.17-59.1 SUSE Linux Enterprise Server 11-SP4 (src): php53-5.3.17-59.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): php53-5.3.17-59.1
SUSE-SU-2016:1166-1: An update that fixes 7 vulnerabilities is now available. Category: security (important) Bug References: 968284,969821,971611,971612,971912,973351,973792 CVE References: CVE-2014-9767,CVE-2015-8835,CVE-2015-8838,CVE-2016-2554,CVE-2016-3141,CVE-2016-3142,CVE-2016-3185 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): php5-5.5.14-53.1 SUSE Linux Enterprise Software Development Kit 12 (src): php5-5.5.14-53.1 SUSE Linux Enterprise Module for Web Scripting 12 (src): php5-5.5.14-53.1
openSUSE-SU-2016:1167-1: An update that solves 6 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 969821,971611,971612,971912,973351,973792,974305 CVE References: CVE-2014-9767,CVE-2015-8835,CVE-2015-8838,CVE-2016-3141,CVE-2016-3142,CVE-2016-3185 Sources used: openSUSE 13.2 (src): php5-5.6.1-53.3
Releasing for openSUSE Leap 42.1, all done.
openSUSE-SU-2016:1173-1: An update that fixes 7 vulnerabilities is now available. Category: security (important) Bug References: 968284,969821,971611,971612,971912,973351,973792 CVE References: CVE-2014-9767,CVE-2015-8835,CVE-2015-8838,CVE-2016-2554,CVE-2016-3141,CVE-2016-3142,CVE-2016-3185 Sources used: openSUSE Leap 42.1 (src): php5-5.5.14-44.1
SUSE-SU-2016:1581-1: An update that fixes 31 vulnerabilities is now available. Category: security (important) Bug References: 949961,968284,969821,971611,971612,971912,973351,973792,976996,976997,977003,977005,977991,977994,978827,978828,978829,978830,980366,980373,980375,981050,982010,982011,982012,982013,982162 CVE References: CVE-2014-9767,CVE-2015-4116,CVE-2015-7803,CVE-2015-8835,CVE-2015-8838,CVE-2015-8866,CVE-2015-8867,CVE-2015-8873,CVE-2015-8874,CVE-2015-8879,CVE-2016-2554,CVE-2016-3141,CVE-2016-3142,CVE-2016-3185,CVE-2016-4070,CVE-2016-4073,CVE-2016-4342,CVE-2016-4346,CVE-2016-4537,CVE-2016-4538,CVE-2016-4539,CVE-2016-4540,CVE-2016-4541,CVE-2016-4542,CVE-2016-4543,CVE-2016-4544,CVE-2016-5093,CVE-2016-5094,CVE-2016-5095,CVE-2016-5096,CVE-2016-5114 Sources used: SUSE OpenStack Cloud 5 (src): php53-5.3.17-71.1 SUSE Manager Proxy 2.1 (src): php53-5.3.17-71.1 SUSE Manager 2.1 (src): php53-5.3.17-71.1 SUSE Linux Enterprise Software Development Kit 11-SP4 (src): php53-5.3.17-71.1 SUSE Linux Enterprise Server 11-SP4 (src): php53-5.3.17-71.1 SUSE Linux Enterprise Server 11-SP3-LTSS (src): php53-5.3.17-71.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): php53-5.3.17-71.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): php53-5.3.17-71.1
SUSE-SU-2016:1638-1: An update that fixes 85 vulnerabilities is now available. Category: security (important) Bug References: 884986,884987,884989,884990,884991,884992,885961,886059,886060,893849,893853,902357,902360,902368,910659,914690,917150,918768,919080,921950,922451,922452,923945,924972,925109,928506,928511,931421,931769,931772,931776,933227,935074,935224,935226,935227,935229,935232,935234,935274,935275,938719,938721,942291,942296,945412,945428,949961,968284,969821,971611,971612,971912,973351,973792,976996,976997,977003,977005,977991,977994,978827,978828,978829,978830,980366,980373,980375,981050,982010,982011,982012,982013,982162 CVE References: CVE-2004-1019,CVE-2006-7243,CVE-2014-0207,CVE-2014-3478,CVE-2014-3479,CVE-2014-3480,CVE-2014-3487,CVE-2014-3515,CVE-2014-3597,CVE-2014-3668,CVE-2014-3669,CVE-2014-3670,CVE-2014-4049,CVE-2014-4670,CVE-2014-4698,CVE-2014-4721,CVE-2014-5459,CVE-2014-8142,CVE-2014-9652,CVE-2014-9705,CVE-2014-9709,CVE-2014-9767,CVE-2015-0231,CVE-2015-0232,CVE-2015-0273,CVE-2015-1352,CVE-2015-2301,CVE-2015-2305,CVE-2015-2783,CVE-2015-2787,CVE-2015-3152,CVE-2015-3329,CVE-2015-3411,CVE-2015-3412,CVE-2015-4021,CVE-2015-4022,CVE-2015-4024,CVE-2015-4026,CVE-2015-4116,CVE-2015-4148,CVE-2015-4598,CVE-2015-4599,CVE-2015-4600,CVE-2015-4601,CVE-2015-4602,CVE-2015-4603,CVE-2015-4643,CVE-2015-4644,CVE-2015-5161,CVE-2015-5589,CVE-2015-5590,CVE-2015-6831,CVE-2015-6833,CVE-2015-6836,CVE-2015-6837,CVE-2015-6838,CVE-2015-7803,CVE-2015-8835,CVE-2015-8838,CVE-2015-8866,CVE-2015-8867,CVE-2015-8873,CVE-2015-8874,CVE-2015-8879,CVE-2016-2554,CVE-2016-3141,CVE-2016-3142,CVE-2016-3185,CVE-2016-4070,CVE-2016-4073,CVE-2016-4342,CVE-2016-4346,CVE-2016-4537,CVE-2016-4538,CVE-2016-4539,CVE-2016-4540,CVE-2016-4541,CVE-2016-4542,CVE-2016-4543,CVE-2016-4544,CVE-2016-5093,CVE-2016-5094,CVE-2016-5095,CVE-2016-5096,CVE-2016-5114 Sources used: SUSE Linux Enterprise Server 11-SP2-LTSS (src): php53-5.3.17-47.1
Panos, I think the issue was that localhost might not have a http server running? but updates were all released