Bug 1200082 (CVE-2016-4072) - VUL-0: CVE-2016-4072: php8,php5,php74,php72,php7,php53: php: Invalid memory write in phar on filename containing \0 inside name
Summary: VUL-0: CVE-2016-4072: php8,php5,php74,php72,php7,php53: php: Invalid memory w...
Status: RESOLVED FIXED
Alias: CVE-2016-4072
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/168265/
Whiteboard: CVSSv3.1:SUSE:CVE-2016-4072:4.5:(AV:L...
Keywords:
Depends on:
Blocks:
 
Reported: 2022-05-31 13:06 UTC by Marcus Meissner
Modified: 2024-04-19 11:16 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2022-05-31 13:06:48 UTC 
rh#1323106

An invalid write vulnerability causing segmentation fault in phar on filename with \0 inside its name was found.

Vulnerable code (phar_analyze_path):

				if (!(realpath = expand_filepath(filename, NULL))) {
					efree(filename);
					return FAILURE;
				}
#ifdef PHP_WIN32
				phar_unixify_path_separators(realpath, strlen(realpath));
#endif
				slash = strstr(realpath, filename);
				if (slash) {
					slash += ((ext - fname) + ext_len);
					*slash = '\0';
				}

If fname and thus filename contain \0's, realpath would not contain those parts and thus slash would point past the end of the realpath buffer.

To exploit this, application has to allow attacker to create phar files with arbitrary filenames.

Upstream bug:

https://bugs.php.net/bug.php?id=71860

Upstream patch:

https://gist.github.com/smalyshev/80b5c2909832872f2ba2
https://git.php.net/?p=php-src.git;a=commit;h=1e9b175204e3286d64dfd6c9f09151c31b5e099a

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1323106
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4072
http://seclists.org/oss-sec/2016/q2/138
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4072.html
https://access.redhat.com/security/cve/CVE-2016-4072
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4072
http://www.cvedetails.com/cve/CVE-2016-4072/
http://cve.mitre.org/cve/request_id.html
https://git.php.net/?p=php-src.git;a=commit;h=1e9b175204e3286d64dfd6c9f09151c31b5e099a
https://gist.github.com/smalyshev/80b5c2909832872f2ba2
https://bugs.php.net/bug.php?id=71860
http://www.securityfocus.com/bid/85993
Comment 1 Marcus Meissner 2022-05-31 13:07:06 UTC 
(we did not have a bug open for it yet, nor any updates released yet)
Comment 2 Petr Gajdos 2022-06-06 18:17:43 UTC 
This was fixed 7.0.5, so php7+ packages are already fixed. For php5 branch, it was fixed on 31 Mar 2016 in PHP 5.6.20 release.

Only affected code stream is 11sp3/php53.

11sp3/php53 (see base64 ret/crash13 in the upstream bug):

BEFORE

:/200082> php test.php crash13
Segmentation fault (core dumped)
:/200082>

AFTER

:/200082> php test.php crash13
PHP Warning:  Phar::__construct(): Invalid path in /200082/test.php on line 4
exception 'BadMethodCallException' with message 'Cannot call method on an uninitialized Phar object' in /200082/test.php:5
Stack trace:
#0 /200082/test.php(5): Phar->offsetSet('index.php', '<?php echo "htt...')
#1 {main}
:/200082>
Comment 3 Petr Gajdos 2022-06-06 18:25:03 UTC 
Package submitted: 11sp3/php53

I believe all fixed.
Comment 4 Petr Gajdos 2022-06-06 18:35:37 UTC 
QA: note test changes in
https://gist.github.com/smalyshev/80b5c2909832872f2ba2
or git 1e9b175204e3286d64dfd6c9f09151c31b5e099a or 72281f29dd4691b2f741362d3581162fcf85f502 respectively.
Comment 6 Robert Frohl 2024-04-19 11:16:55 UTC 
done