Bug 969821 (CVE-2016-3141) - L3-Question: VUL-1: CVE-2016-3141: php5: PHP Bugfix (71587) - Use-After-Free / Double-Free in WDDX Deserialize
Summary: L3-Question: VUL-1: CVE-2016-3141: php5: PHP Bugfix (71587) - Use-After-Free ...
Status: RESOLVED FIXED
Alias: CVE-2016-3141
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P2 - High : Major
Target Milestone: ---
Deadline: 2017-02-13
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: wasL3:44989 CVSSv2:SUSE:CVE-2016-3141...
Keywords: DSLA_REQUIRED, DSLA_SOLUTION_PROVIDED
Depends on:
Blocks:
 
Reported: 2016-03-07 09:29 UTC by Uemit Arslan
Modified: 2018-02-20 23:39 UTC (History)
8 users (show)

See Also:
Found By: Customer
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
xx.php (479 bytes, text/plain)
2016-03-08 10:00 UTC, Marcus Meissner 		Details
11.patch (1.58 KB, patch)
2016-03-14 10:46 UTC, Petr Gajdos 		Details | Diff
13.2 patch (1.57 KB, patch)
2016-03-14 10:47 UTC, Petr Gajdos 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Uemit Arslan 2016-03-07 09:29:06 UTC 
Do we have the following Bugfix already in Scope?

https://bugs.php.net/bug.php?id=71587

Research in SUSE BZ did not hit/show any similar issue reported.
Comment 1 Marcus Meissner 2016-03-08 09:58:01 UTC 
seems like the fix is missing
Comment 2 Marcus Meissner 2016-03-08 10:00:24 UTC 
Created attachment 668146 [details]
xx.php

php xx.php
Comment 3 Swamp Workflow Management 2016-03-08 23:00:15 UTC 
bugbot adjusting priority
Comment 5 Marcus Meissner 2016-03-10 09:44:35 UTC 
requested cve on oss-sec
Comment 14 Petr Gajdos 2016-03-14 10:43:29 UTC 
Tested on 13.2 and 11.

installed packages: php5, php5-wddx

BEFORE:

$ USE_ZEND_ALLOC=0 valgrind php xx.php 
==16238== Memcheck, a memory error detector.
==16238== Copyright (C) 2002-2007, and GNU GPL'd, by Julian Seward et al.
==16238== Using LibVEX rev 1854, a library for dynamic binary translation.
==16238== Copyright (C) 2004-2007, and GNU GPL'd, by OpenWorks LLP.
==16238== Using valgrind-3.3.1, a dynamic binary instrumentation framework.
==16238== Copyright (C) 2000-2007, and GNU GPL'd, by Julian Seward et al.
==16238== For more details, rerun with: -v
==16238== 
==16238== Invalid read of size 1
==16238==    at 0x4C25E22: strlen (in /usr/lib64/valgrind/amd64-linux/vgpreload_memcheck.so)
==16238==    by 0x5398FA: _estrdup (in /usr/bin/php5)
==16238==    by 0x704A288: (within /usr/lib64/php5/extensions/wddx.so)
==16238==    by 0x50B0A0: (within /usr/bin/php5)
==16238==    by 0x5F88ED8: xmlParseStartTag (in /usr/lib64/libxml2.so.2.7.1)
==16238==    by 0x5F8E9DC: xmlParseChunk (in /usr/lib64/libxml2.so.2.7.1)
==16238==    by 0x50AF0C: php_XML_Parse (in /usr/bin/php5)
==16238==    by 0x7049187: php_wddx_deserialize_ex (in /usr/lib64/php5/extensions/wddx.so)
==16238==    by 0x704930D: zif_wddx_deserialize (in /usr/lib64/php5/extensions/wddx.so)

[ .. many valgrind errors .. ]

$

AFTER:

$ USE_ZEND_ALLOC=0 valgrind php xx.php
Memcheck, a memory error detector
==14909== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==14909== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==14909== Command: php xx.php
==14909== 
array(2) {
  [0]=>
  string(8) "manhluat"
  [1]=>
  bool(true)
}
Key: 30
Value: 6d616e686c756174
Key: 31
Value: 31

==14909== 
==14909== HEAP SUMMARY:
==14909==     in use at exit: 960 bytes in 5 blocks
==14909==   total heap usage: 11,110 allocs, 11,105 frees, 2,748,757 bytes allocated
==14909== 
==14909== LEAK SUMMARY:
==14909==    definitely lost: 0 bytes in 0 blocks
==14909==    indirectly lost: 0 bytes in 0 blocks
==14909==      possibly lost: 0 bytes in 0 blocks
==14909==    still reachable: 960 bytes in 5 blocks
==14909==         suppressed: 0 bytes in 0 blocks
==14909== Rerun with --leak-check=full to see details of leaked memory
==14909== 
==14909== For counts of detected and suppressed errors, rerun with: -v
==14909== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
$
Comment 16 Petr Gajdos 2016-03-14 10:47:27 UTC 
Created attachment 668883 [details]
13.2 patch
Comment 20 Petr Gajdos 2016-03-30 08:00:17 UTC 
See requests 381468, 106428, 106424, 106436, 106432.
Comment 21 Bernhard Wiedemann 2016-03-30 08:00:17 UTC 
This is an autogenerated message for OBS integration:
This bug (969821) was mentioned in
https://build.opensuse.org/request/show/381468 13.2 / php5
Comment 23 Flex Liu 2016-03-30 08:58:20 UTC 
Hi Uemit,

Since the bugfix went to maintenance update already? could we close this L3 issue? thanks.
Comment 24 Petr Gajdos 2016-03-30 09:19:56 UTC 
Not sure what do you mean by 'close this L3 issue', but please leave this bug open for security-team.
Comment 26 Bernhard Wiedemann 2016-04-01 10:00:13 UTC 
This is an autogenerated message for OBS integration:
This bug (969821) was mentioned in
https://build.opensuse.org/request/show/382845 13.2 / php5
Comment 28 Bernhard Wiedemann 2016-04-05 09:00:14 UTC 
This is an autogenerated message for OBS integration:
This bug (969821) was mentioned in
https://build.opensuse.org/request/show/384375 13.2 / php5
Comment 30 Bernhard Wiedemann 2016-04-07 13:00:20 UTC 
This is an autogenerated message for OBS integration:
This bug (969821) was mentioned in
https://build.opensuse.org/request/show/385728 13.2 / php5
Comment 32 Swamp Workflow Management 2016-04-08 10:00:34 UTC 
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2016-04-15.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62611
Comment 33 Bernhard Wiedemann 2016-04-14 14:00:10 UTC 
This is an autogenerated message for OBS integration:
This bug (969821) was mentioned in
https://build.opensuse.org/request/show/389948 13.2 / php5
Comment 35 Swamp Workflow Management 2016-04-25 17:08:37 UTC 
SUSE-SU-2016:1145-1: An update that fixes 8 vulnerabilities is now available.

Category: security (important)
Bug References: 949961,968284,969821,971611,971612,971912,973351,973792
CVE References: CVE-2014-9767,CVE-2015-7803,CVE-2015-8835,CVE-2015-8838,CVE-2016-2554,CVE-2016-3141,CVE-2016-3142,CVE-2016-3185
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    php53-5.3.17-59.1
SUSE Linux Enterprise Server 11-SP4 (src):    php53-5.3.17-59.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    php53-5.3.17-59.1
Comment 38 Swamp Workflow Management 2016-04-27 18:08:22 UTC 
SUSE-SU-2016:1166-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 968284,969821,971611,971612,971912,973351,973792
CVE References: CVE-2014-9767,CVE-2015-8835,CVE-2015-8838,CVE-2016-2554,CVE-2016-3141,CVE-2016-3142,CVE-2016-3185
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    php5-5.5.14-53.1
SUSE Linux Enterprise Software Development Kit 12 (src):    php5-5.5.14-53.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php5-5.5.14-53.1
Comment 39 Swamp Workflow Management 2016-04-27 21:07:48 UTC 
openSUSE-SU-2016:1167-1: An update that solves 6 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 969821,971611,971612,971912,973351,973792,974305
CVE References: CVE-2014-9767,CVE-2015-8835,CVE-2015-8838,CVE-2016-3141,CVE-2016-3142,CVE-2016-3185
Sources used:
openSUSE 13.2 (src):    php5-5.6.1-53.3
Comment 41 Swamp Workflow Management 2016-04-28 17:07:43 UTC 
openSUSE-SU-2016:1173-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 968284,969821,971611,971612,971912,973351,973792
CVE References: CVE-2014-9767,CVE-2015-8835,CVE-2015-8838,CVE-2016-2554,CVE-2016-3141,CVE-2016-3142,CVE-2016-3185
Sources used:
openSUSE Leap 42.1 (src):    php5-5.5.14-44.1
Comment 48 Swamp Workflow Management 2016-06-14 18:08:30 UTC 
SUSE-SU-2016:1581-1: An update that fixes 31 vulnerabilities is now available.

Category: security (important)
Bug References: 949961,968284,969821,971611,971612,971912,973351,973792,976996,976997,977003,977005,977991,977994,978827,978828,978829,978830,980366,980373,980375,981050,982010,982011,982012,982013,982162
CVE References: CVE-2014-9767,CVE-2015-4116,CVE-2015-7803,CVE-2015-8835,CVE-2015-8838,CVE-2015-8866,CVE-2015-8867,CVE-2015-8873,CVE-2015-8874,CVE-2015-8879,CVE-2016-2554,CVE-2016-3141,CVE-2016-3142,CVE-2016-3185,CVE-2016-4070,CVE-2016-4073,CVE-2016-4342,CVE-2016-4346,CVE-2016-4537,CVE-2016-4538,CVE-2016-4539,CVE-2016-4540,CVE-2016-4541,CVE-2016-4542,CVE-2016-4543,CVE-2016-4544,CVE-2016-5093,CVE-2016-5094,CVE-2016-5095,CVE-2016-5096,CVE-2016-5114
Sources used:
SUSE OpenStack Cloud 5 (src):    php53-5.3.17-71.1
SUSE Manager Proxy 2.1 (src):    php53-5.3.17-71.1
SUSE Manager 2.1 (src):    php53-5.3.17-71.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    php53-5.3.17-71.1
SUSE Linux Enterprise Server 11-SP4 (src):    php53-5.3.17-71.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    php53-5.3.17-71.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    php53-5.3.17-71.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    php53-5.3.17-71.1
Comment 49 Swamp Workflow Management 2016-06-21 11:17:37 UTC 
SUSE-SU-2016:1638-1: An update that fixes 85 vulnerabilities is now available.

Category: security (important)
Bug References: 884986,884987,884989,884990,884991,884992,885961,886059,886060,893849,893853,902357,902360,902368,910659,914690,917150,918768,919080,921950,922451,922452,923945,924972,925109,928506,928511,931421,931769,931772,931776,933227,935074,935224,935226,935227,935229,935232,935234,935274,935275,938719,938721,942291,942296,945412,945428,949961,968284,969821,971611,971612,971912,973351,973792,976996,976997,977003,977005,977991,977994,978827,978828,978829,978830,980366,980373,980375,981050,982010,982011,982012,982013,982162
CVE References: CVE-2004-1019,CVE-2006-7243,CVE-2014-0207,CVE-2014-3478,CVE-2014-3479,CVE-2014-3480,CVE-2014-3487,CVE-2014-3515,CVE-2014-3597,CVE-2014-3668,CVE-2014-3669,CVE-2014-3670,CVE-2014-4049,CVE-2014-4670,CVE-2014-4698,CVE-2014-4721,CVE-2014-5459,CVE-2014-8142,CVE-2014-9652,CVE-2014-9705,CVE-2014-9709,CVE-2014-9767,CVE-2015-0231,CVE-2015-0232,CVE-2015-0273,CVE-2015-1352,CVE-2015-2301,CVE-2015-2305,CVE-2015-2783,CVE-2015-2787,CVE-2015-3152,CVE-2015-3329,CVE-2015-3411,CVE-2015-3412,CVE-2015-4021,CVE-2015-4022,CVE-2015-4024,CVE-2015-4026,CVE-2015-4116,CVE-2015-4148,CVE-2015-4598,CVE-2015-4599,CVE-2015-4600,CVE-2015-4601,CVE-2015-4602,CVE-2015-4603,CVE-2015-4643,CVE-2015-4644,CVE-2015-5161,CVE-2015-5589,CVE-2015-5590,CVE-2015-6831,CVE-2015-6833,CVE-2015-6836,CVE-2015-6837,CVE-2015-6838,CVE-2015-7803,CVE-2015-8835,CVE-2015-8838,CVE-2015-8866,CVE-2015-8867,CVE-2015-8873,CVE-2015-8874,CVE-2015-8879,CVE-2016-2554,CVE-2016-3141,CVE-2016-3142,CVE-2016-3185,CVE-2016-4070,CVE-2016-4073,CVE-2016-4342,CVE-2016-4346,CVE-2016-4537,CVE-2016-4538,CVE-2016-4539,CVE-2016-4540,CVE-2016-4541,CVE-2016-4542,CVE-2016-4543,CVE-2016-4544,CVE-2016-5093,CVE-2016-5094,CVE-2016-5095,CVE-2016-5096,CVE-2016-5114
Sources used:
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    php53-5.3.17-47.1
Comment 50 Marcus Meissner 2016-08-01 08:53:58 UTC 
all released, closing also needinfo as noresponse
Comment 51 Swamp Workflow Management 2017-01-30 13:25:43 UTC 
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2017-02-13.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63367