Bugzilla – Bug 968284
VUL-0: CVE-2016-2554: php5, php53: Stack overflow vulnerability when decompressing tar phar archives
Last modified: 2016-06-21 11:17:25 UTC
https://bugs.php.net/bug.php?id=71488 CVE-2016-2554 was assigned to this issue. Description: ------------ A stack overflow may occur when decompressing tar archives due to `phar_tar_writeheaders()' potentially copying non-terminated linknames from entries parsed by `phar_parse_tarfile()' (tested with 5.6.11, 5.6.17 and 7.0.2). php-5.6.17/ext/phar/tar.h #65..94: ,---- | typedef struct _tar_header { /* {{{ */ | [...] | char linkname[100]; /* name of linked file */ | char magic[6]; /* USTAR indicator */ | char version[2]; /* USTAR version */ | char uname[32]; /* owner user name */ | char gname[32]; /* owner group name */ | char devmajor[8]; /* device major number */ | char devminor[8]; /* device minor number */ | char prefix[155]; /* prefix for file name; | the value of the prefix field, if non-null, | is prefixed to the name field to allow names | longer then 100 characters */ | char padding[12]; /* unused zeroed bytes */ | } PHAR_TAR_PACK tar_header; `---- php-5.6.17/ext/phar/tar.c #198..678: ,---- | int phar_parse_tarfile(php_stream* fp, char *fname, int fname_len, char *alias, int alias_len, phar_archive_data** pphar, int is_data, php_uint32 compression, char **error TSRMLS_DC) /* {{{ */ | { | char buf[512], *actual_alias = NULL, *p; | phar_entry_info entry = {0}; | size_t pos = 0, read, totalsize; | tar_header *hdr; | php_uint32 sum1, sum2, size, old; | phar_archive_data *myphar, **actual; | int last_was_longlink = 0; | | [...] | read = php_stream_read(fp, buf, sizeof(buf)); | [...] | | do { | [...] | hdr = (tar_header*) buf; | [...] | | if (entry.tar_type == TAR_LINK) { | [...] | entry.link = estrdup(hdr->linkname); | } else if (entry.tar_type == TAR_SYMLINK) { | entry.link = estrdup(hdr->linkname); | } | [...] | read = php_stream_read(fp, buf, sizeof(buf)); | [...] | } while (read != 0); | [...] | } | /* }}} */ `---- linkname is expected to be <=100 bytes and it's estrdup:ed from `((tar_header *)buf)->linkname' to `entry.link'. However, since there's no guarantee that `linkname' or any of the following buffers are NUL-terminated, the resulting `entry.link' may be at least sizeof(linkname) + ... + sizeof(padding) = 355 bytes (and possibly bigger depending on where \0 is encountered). As the header is later written in `phar_tar_writeheaders()', linkname is strncpy:d to `char linkname[100]' with a len based on the source string. php-5.6.17/ext/phar/tar.c #688..835: ,---- | static int phar_tar_writeheaders(void *pDest, void *argument TSRMLS_DC) /* {{{ */ | { | tar_header header; | [...] | phar_entry_info *entry = (phar_entry_info *) pDest; | | [...] | if (entry->link) { | strncpy(header.linkname, entry->link, strlen(entry->link)); | } | [...] | } | /* }}} */ `---- Test script: --------------- crash.py: https://gist.github.com/dyntopia/561a1be3b0e772d792b6 phar.py: https://gist.github.com/dyntopia/292f2b975f18dde06491 Actual result: -------------- With php-5.6.17 compiled with -D_FORTIFY_SOURCE=2: ,---- | $ python crash.py crash.tar | $ gdb --args php-5.6.17/bin/php phar.php crash.tar ext | (gdb) b tar.c:490 | (gdb) r | Breakpoint 1, phar_parse_tarfile [...] | 490 entry.link = estrdup(hdr->linkname); | | (gdb) call strlen(hdr->linkname) | $1 = 617 | (gdb) printf "%s\n", hdr->linkname | linkname...linkname...linkname...linkname...linkname...linkname... | linkname...linkname...linkname...lmagic...uname...uname...uname... | uname...gname...gname...gname...gname...major...minor...prefix... | prefix...prefix...prefix...prefix...prefix...prefix...prefix... | prefix...prefix...prefix...prefix...prefix...prefix...prefix... | prefix...prefix...prpadding...paprefix...prefix...prefix... | prefix...prefix...prefix...prefix...prefix...prefix...prefix... | prefix...prefix...prefix...prefix...prefix...prefix...prefix... | pr/name...name...name...name...name...name...name...name...name... | name...name...name...name...name...na????? | | (gdb) b strncpy | (gdb) c | Breakpoint 2, phar_tar_writeheaders [...] | 756 strncpy(header.linkname, entry->link, strlen(entry->link)); | (gdb) p sizeof(header.linkname) | $2 = 100 | | (gdb) s | strncpy (__len=617, __src=0x7ffff7fdbbe0 "linkname...linkname... | linkname...linkname...linkname...linkname...linkname...linkname... | linkname...lmagic...uname...uname...uname...uname...gname...gname... | gname...gname...major...minor...prefix...pre"..., __dest=0x7fffffffa13d "") | at /usr/include/x86_64-linux-gnu/bits/string3.h:126 | 126 return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest)); | | (gdb) c | Continuing. | *** buffer overflow detected ***: /home/php/php-5.6.17/bin/php terminated | ======= Backtrace: ========= | /lib/x86_64-linux-gnu/libc.so.6(+0x78c4e)[0x7ffff6fa7c4e] | /lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7ffff7047e8c] | /lib/x86_64-linux-gnu/libc.so.6(+0x116e80)[0x7ffff7045e80] | /lib/x86_64-linux-gnu/libc.so.6(+0x116319)[0x7ffff7045319] | /home/php/php-5.6.17/bin/php[0x5983e4] | /home/php/php-5.6.17/bin/php(zend_hash_apply_with_argument+0x79)[0x6f4cf9] | /home/php/php-5.6.17/bin/php[0x59aa84] | /home/php/php-5.6.17/bin/php[0x5af476] | /home/php/php-5.6.17/bin/php[0x5ba050] | /home/php/php-5.6.17/bin/php[0x5baf2a] | /home/php/php-5.6.17/bin/php[0x79543f] | /home/php/php-5.6.17/bin/php(execute_ex+0x40)[0x723a50] | /home/php/php-5.6.17/bin/php(zend_execute_scripts+0x180)[0x6e7dd0] | /home/php/php-5.6.17/bin/php(php_execute_script+0x280)[0x683160] | /home/php/php-5.6.17/bin/php[0x796f32] | /home/php/php-5.6.17/bin/php[0x423c9e] | /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7ffff6f4fa40] | /home/php/php-5.6.17/bin/php(_start+0x29)[0x423de9] | ======= Memory map: ======== | 00400000-00bff000 r-xp 00000000 08:01 557690 /home/php/php-5.6.17/bin/php | 00dfe000-00e8f000 r--p 007fe000 08:01 557690 /home/php/php-5.6.17/bin/php | 00e8f000-00e98000 rw-p 0088f000 08:01 557690 /home/php/php-5.6.17/bin/php | 00e98000-01051000 rw-p 00000000 00:00 0 [heap] | 7ffff44f3000-7ffff4931000 r--p 00000000 08:01 136079 /usr/lib/locale/locale-archive | 7ffff4931000-7ffff4947000 r-xp 00000000 08:01 786971 /lib/x86_64-linux-gnu/libgcc_s.so.1 | 7ffff4947000-7ffff4b46000 ---p 00016000 08:01 786971 /lib/x86_64-linux-gnu/libgcc_s.so.1 | 7ffff4b46000-7ffff4b47000 r--p 00015000 08:01 786971 /lib/x86_64-linux-gnu/libgcc_s.so.1 | 7ffff4b47000-7ffff4b48000 rw-p 00016000 08:01 786971 /lib/x86_64-linux-gnu/libgcc_s.so.1 | 7ffff4b48000-7ffff4cbb000 r-xp 00000000 08:01 133608 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21 | 7ffff4cbb000-7ffff4eba000 ---p 00173000 08:01 133608 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21 | 7ffff4eba000-7ffff4ec4000 r--p 00172000 08:01 133608 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21 | 7ffff4ec4000-7ffff4ec6000 rw-p 0017c000 08:01 133608 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21 | 7ffff4ec6000-7ffff4eca000 rw-p 00000000 00:00 0 | 7ffff4eca000-7ffff6780000 r-xp 00000000 08:01 140633 /usr/lib/x86_64-linux-gnu/libicudata.so.55.1 | 7ffff6780000-7ffff697f000 ---p 018b6000 08:01 140633 /usr/lib/x86_64-linux-gnu/libicudata.so.55.1 | 7ffff697f000-7ffff6980000 r--p 018b5000 08:01 140633 /usr/lib/x86_64-linux-gnu/libicudata.so.55.1 | 7ffff6980000-7ffff6981000 rw-p 018b6000 08:01 140633 /usr/lib/x86_64-linux-gnu/libicudata.so.55.1 | 7ffff6981000-7ffff699a000 r-xp 00000000 08:01 787064 /lib/x86_64-linux-gnu/libz.so.1.2.8 | 7ffff699a000-7ffff6b99000 ---p 00019000 08:01 787064 /lib/x86_64-linux-gnu/libz.so.1.2.8 | 7ffff6b99000-7ffff6b9a000 r--p 00018000 08:01 787064 /lib/x86_64-linux-gnu/libz.so.1.2.8 | 7ffff6b9a000-7ffff6b9b000 rw-p 00019000 08:01 787064 /lib/x86_64-linux-gnu/libz.so.1.2.8 | 7ffff6b9b000-7ffff6d1a000 r-xp 00000000 08:01 140629 /usr/lib/x86_64-linux-gnu/libicuuc.so.55.1 | 7ffff6d1a000-7ffff6f1a000 ---p 0017f000 08:01 140629 /usr/lib/x86_64-linux-gnu/libicuuc.so.55.1 | 7ffff6f1a000-7ffff6f2a000 r--p 0017f000 08:01 140629 /usr/lib/x86_64-linux-gnu/libicuuc.so.55.1 | 7ffff6f2a000-7ffff6f2b000 rw-p 0018f000 08:01 140629 /usr/lib/x86_64-linux-gnu/libicuuc.so.55.1 | 7ffff6f2b000-7ffff6f2f000 rw-p 00000000 00:00 0 | 7ffff6f2f000-7ffff70ef000 r-xp 00000000 08:01 786945 /lib/x86_64-linux-gnu/libc-2.21.so | 7ffff70ef000-7ffff72ef000 ---p 001c0000 08:01 786945 /lib/x86_64-linux-gnu/libc-2.21.so | 7ffff72ef000-7ffff72f3000 r--p 001c0000 08:01 786945 /lib/x86_64-linux-gnu/libc-2.21.so | 7ffff72f3000-7ffff72f5000 rw-p 001c4000 08:01 786945 /lib/x86_64-linux-gnu/libc-2.21.so | 7ffff72f5000-7ffff72f9000 rw-p 00000000 00:00 0 | 7ffff72f9000-7ffff74a6000 r-xp 00000000 08:01 134031 /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.2 | 7ffff74a6000-7ffff76a6000 ---p 001ad000 08:01 134031 /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.2 | 7ffff76a6000-7ffff76ae000 r--p 001ad000 08:01 134031 /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.2 | 7ffff76ae000-7ffff76b0000 rw-p 001b5000 08:01 134031 /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.2 | 7ffff76b0000-7ffff76b1000 rw-p 00000000 00:00 0 | 7ffff76b1000-7ffff76b4000 r-xp 00000000 08:01 786959 /lib/x86_64-linux-gnu/libdl-2.21.so | 7ffff76b4000-7ffff78b3000 ---p 00003000 08:01 786959 /lib/x86_64-linux-gnu/libdl-2.21.so | 7ffff78b3000-7ffff78b4000 r--p 00002000 08:01 786959 /lib/x86_64-linux-gnu/libdl-2.21.so | 7ffff78b4000-7ffff78b5000 rw-p 00003000 08:01 786959 /lib/x86_64-linux-gnu/libdl-2.21.so | 7ffff78b5000-7ffff79bc000 r-xp 00000000 08:01 786990 /lib/x86_64-linux-gnu/libm-2.21.so | 7ffff79bc000-7ffff7bbb000 ---p 00107000 08:01 786990 /lib/x86_64-linux-gnu/libm-2.21.so | 7ffff7bbb000-7ffff7bbc000 r--p 00106000 08:01 786990 /lib/x86_64-linux-gnu/libm-2.21.so | 7ffff7bbc000-7ffff7bbd000 rw-p 00107000 08:01 786990 /lib/x86_64-linux-gnu/libm-2.21.so | 7ffff7bbd000-7ffff7bd4000 r-xp 00000000 08:01 787034 /lib/x86_64-linux-gnu/libresolv-2.21.so | 7ffff7bd4000-7ffff7dd4000 ---p 00017000 08:01 787034 /lib/x86_64-linux-gnu/libresolv-2.21.so | 7ffff7dd4000-7ffff7dd6000 r--p 00017000 08:01 787034 /lib/x86_64-linux-gnu/libresolv-2.21.so | 7ffff7dd6000-7ffff7dd7000 rw-p 00019000 08:01 787034 /lib/x86_64-linux-gnu/libresolv-2.21.so | 7ffff7dd7000-7ffff7dd9000 rw-p 00000000 00:00 0 | 7ffff7dd9000-7ffff7dfd000 r-xp 00000000 08:01 786921 /lib/x86_64-linux-gnu/ld-2.21.so | 7ffff7e51000-7ffff7fea000 rw-p 00000000 00:00 0 | 7ffff7ff5000-7ffff7ff8000 rw-p 00000000 00:00 0 | 7ffff7ff8000-7ffff7ffa000 r--p 00000000 00:00 0 [vvar] | 7ffff7ffa000-7ffff7ffc000 r-xp 00000000 00:00 0 [vdso] | 7ffff7ffc000-7ffff7ffd000 r--p 00023000 08:01 786921 /lib/x86_64-linux-gnu/ld-2.21.so | 7ffff7ffd000-7ffff7ffe000 rw-p 00024000 08:01 786921 /lib/x86_64-linux-gnu/ld-2.21.so | 7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0 | 7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0 [stack] | ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] | | Program received signal SIGABRT, Aborted. | 0x00007ffff6f64267 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:55 | 55 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory. | (gdb) `---- -- Hans Jerry Illikainen References: https://bugzilla.redhat.com/show_bug.cgi?id=1305543
bugbot adjusting priority
Packages submitted into 11sp3, 12 and 13.2.
This is an autogenerated message for OBS integration: This bug (968284) was mentioned in https://build.opensuse.org/request/show/363560 13.2 / php5
openSUSE-SU-2016:0709-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 968284 CVE References: CVE-2016-2554 Sources used: openSUSE 13.2 (src): php5-5.6.1-42.2
SUSE-SU-2016:1145-1: An update that fixes 8 vulnerabilities is now available. Category: security (important) Bug References: 949961,968284,969821,971611,971612,971912,973351,973792 CVE References: CVE-2014-9767,CVE-2015-7803,CVE-2015-8835,CVE-2015-8838,CVE-2016-2554,CVE-2016-3141,CVE-2016-3142,CVE-2016-3185 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): php53-5.3.17-59.1 SUSE Linux Enterprise Server 11-SP4 (src): php53-5.3.17-59.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): php53-5.3.17-59.1
releasing SLE 12
SUSE-SU-2016:1166-1: An update that fixes 7 vulnerabilities is now available. Category: security (important) Bug References: 968284,969821,971611,971612,971912,973351,973792 CVE References: CVE-2014-9767,CVE-2015-8835,CVE-2015-8838,CVE-2016-2554,CVE-2016-3141,CVE-2016-3142,CVE-2016-3185 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): php5-5.5.14-53.1 SUSE Linux Enterprise Software Development Kit 12 (src): php5-5.5.14-53.1 SUSE Linux Enterprise Module for Web Scripting 12 (src): php5-5.5.14-53.1
Releasing for openSUSE Leap 42.1, all done.
openSUSE-SU-2016:1173-1: An update that fixes 7 vulnerabilities is now available. Category: security (important) Bug References: 968284,969821,971611,971612,971912,973351,973792 CVE References: CVE-2014-9767,CVE-2015-8835,CVE-2015-8838,CVE-2016-2554,CVE-2016-3141,CVE-2016-3142,CVE-2016-3185 Sources used: openSUSE Leap 42.1 (src): php5-5.5.14-44.1
SUSE-SU-2016:1581-1: An update that fixes 31 vulnerabilities is now available. Category: security (important) Bug References: 949961,968284,969821,971611,971612,971912,973351,973792,976996,976997,977003,977005,977991,977994,978827,978828,978829,978830,980366,980373,980375,981050,982010,982011,982012,982013,982162 CVE References: CVE-2014-9767,CVE-2015-4116,CVE-2015-7803,CVE-2015-8835,CVE-2015-8838,CVE-2015-8866,CVE-2015-8867,CVE-2015-8873,CVE-2015-8874,CVE-2015-8879,CVE-2016-2554,CVE-2016-3141,CVE-2016-3142,CVE-2016-3185,CVE-2016-4070,CVE-2016-4073,CVE-2016-4342,CVE-2016-4346,CVE-2016-4537,CVE-2016-4538,CVE-2016-4539,CVE-2016-4540,CVE-2016-4541,CVE-2016-4542,CVE-2016-4543,CVE-2016-4544,CVE-2016-5093,CVE-2016-5094,CVE-2016-5095,CVE-2016-5096,CVE-2016-5114 Sources used: SUSE OpenStack Cloud 5 (src): php53-5.3.17-71.1 SUSE Manager Proxy 2.1 (src): php53-5.3.17-71.1 SUSE Manager 2.1 (src): php53-5.3.17-71.1 SUSE Linux Enterprise Software Development Kit 11-SP4 (src): php53-5.3.17-71.1 SUSE Linux Enterprise Server 11-SP4 (src): php53-5.3.17-71.1 SUSE Linux Enterprise Server 11-SP3-LTSS (src): php53-5.3.17-71.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): php53-5.3.17-71.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): php53-5.3.17-71.1
SUSE-SU-2016:1638-1: An update that fixes 85 vulnerabilities is now available. Category: security (important) Bug References: 884986,884987,884989,884990,884991,884992,885961,886059,886060,893849,893853,902357,902360,902368,910659,914690,917150,918768,919080,921950,922451,922452,923945,924972,925109,928506,928511,931421,931769,931772,931776,933227,935074,935224,935226,935227,935229,935232,935234,935274,935275,938719,938721,942291,942296,945412,945428,949961,968284,969821,971611,971612,971912,973351,973792,976996,976997,977003,977005,977991,977994,978827,978828,978829,978830,980366,980373,980375,981050,982010,982011,982012,982013,982162 CVE References: CVE-2004-1019,CVE-2006-7243,CVE-2014-0207,CVE-2014-3478,CVE-2014-3479,CVE-2014-3480,CVE-2014-3487,CVE-2014-3515,CVE-2014-3597,CVE-2014-3668,CVE-2014-3669,CVE-2014-3670,CVE-2014-4049,CVE-2014-4670,CVE-2014-4698,CVE-2014-4721,CVE-2014-5459,CVE-2014-8142,CVE-2014-9652,CVE-2014-9705,CVE-2014-9709,CVE-2014-9767,CVE-2015-0231,CVE-2015-0232,CVE-2015-0273,CVE-2015-1352,CVE-2015-2301,CVE-2015-2305,CVE-2015-2783,CVE-2015-2787,CVE-2015-3152,CVE-2015-3329,CVE-2015-3411,CVE-2015-3412,CVE-2015-4021,CVE-2015-4022,CVE-2015-4024,CVE-2015-4026,CVE-2015-4116,CVE-2015-4148,CVE-2015-4598,CVE-2015-4599,CVE-2015-4600,CVE-2015-4601,CVE-2015-4602,CVE-2015-4603,CVE-2015-4643,CVE-2015-4644,CVE-2015-5161,CVE-2015-5589,CVE-2015-5590,CVE-2015-6831,CVE-2015-6833,CVE-2015-6836,CVE-2015-6837,CVE-2015-6838,CVE-2015-7803,CVE-2015-8835,CVE-2015-8838,CVE-2015-8866,CVE-2015-8867,CVE-2015-8873,CVE-2015-8874,CVE-2015-8879,CVE-2016-2554,CVE-2016-3141,CVE-2016-3142,CVE-2016-3185,CVE-2016-4070,CVE-2016-4073,CVE-2016-4342,CVE-2016-4346,CVE-2016-4537,CVE-2016-4538,CVE-2016-4539,CVE-2016-4540,CVE-2016-4541,CVE-2016-4542,CVE-2016-4543,CVE-2016-4544,CVE-2016-5093,CVE-2016-5094,CVE-2016-5095,CVE-2016-5096,CVE-2016-5114 Sources used: SUSE Linux Enterprise Server 11-SP2-LTSS (src): php53-5.3.17-47.1