Bugzilla – Bug 977992
VUL-0: CVE-2016-4343: php: Uninitialized pointer in phar_make_dirstream()
Last modified: 2020-06-12 20:48:41 UTC
CVE-2016-4343 References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4343 http://seclists.org/oss-sec/2016/q2/163 http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4343.html
The situation is different for 13.2 and 12: 13.2: Breakpoint 1, phar_make_dirstream (dir=0x7ffff7fdc088 "/", manifest=0x7ffff7fdbbb8) at /usr/src/debug/php-5.6.1/ext/phar/dirstream.c:183 183 int dirlen = strlen(dir); (gdb) p *manifest->pInternalPointer $7 = {h = 5381, nKeyLength = 0, pData = 0x7ffff7fdc940, pDataPtr = 0x0, pListNext = 0x7ffff7fdbdc0, pListLast = 0x0, pNext = 0x0, pLast = 0x0, arKey = 0x7ffff7fdd030 "Y"} 12: Breakpoint 1, phar_make_dirstream (dir=0x7ffff7fd9f88 "/", manifest=0x7ffff7fd9ab8) at /usr/src/debug/php-5.5.14/ext/phar/dirstream.c:191 191 int dirlen = strlen(dir); (gdb) p *manifest->pInternalPointer $7 = {h = 13895175661579615935, nKeyLength = 11, pData = 0x7ffff7fd9d28, pDataPtr = 0x0, pListNext = 0x0, pListLast = 0x0, pNext = 0x0, pLast = 0x0, arKey = 0x7ffff7fd9d08 "testit/link\272\272\272\272\272\271"} You see that nKeyLength is not zero in 12, so, via this testcase at least, the vulnerability is not proven. Will fix for 13.2 only.
Created attachment 675203 [details] test tar How to reproduce on 13.2: Installed packages: php5, php5-phar $ cat test.php <?php new PharData($argv[1]); ?> BEFORE $ USE_ZEND_ALLOC=0 valgrind php test.php 000.tar .. many valgrind errors, sometimes segfault .. $ AFTER $ USE_ZEND_ALLOC=0 valgrind php test.php 000.tar PHP Fatal error: Uncaught exception 'UnexpectedValueException' with message 'phar error: "/977992/000.tar" is a corrupted tar file (invalid entry size)' in /977992/test.php:2 Stack trace: #0 /977992/test.php(2): PharData->__construct('000.tar') #1 {main} thrown in /977992/test.php on line 2 $
In the phar_wrapper_open_dir(), phar_get_archive() is called second time and it uses cache data. As of the nature of the bug, it my conclusion in comment 1 is probably precipitate and because the code seems to be similar in 5.6.1 and older distros, I am going to submit everywhere where phar extension exists. This will ensure the processing of damaged file stops in time. Nonetheless, the testcase is unreliable as far as I tested, as implies. Anyway, running the testcase AFTER should bail out with: $ php test.php 000.tar PHP Fatal error: Uncaught exception 'UnexpectedValueException' with message 'phar error: "/977992/000.tar" is a corrupted tar file (invalid entry size)' in /977992/test.php:2 Stack trace: #0 /977992/test.php(2): PharData->__construct('000.tar') #1 {main} thrown in /977992/test.php on line 2 $
This is an autogenerated message for OBS integration: This bug (977992) was mentioned in https://build.opensuse.org/request/show/393784 13.2 / php5
Packages submitted.
This is an autogenerated message for OBS integration: This bug (977992) was mentioned in https://build.opensuse.org/request/show/394633 13.2 / php5
This is an autogenerated message for OBS integration: This bug (977992) was mentioned in https://build.opensuse.org/request/show/396629 13.2 / php5
openSUSE-SU-2016:1357-1: An update that fixes 11 vulnerabilities is now available. Category: security (moderate) Bug References: 977991,977992,977994,978827,978828,978829,978830 CVE References: CVE-2016-4342,CVE-2016-4343,CVE-2016-4346,CVE-2016-4537,CVE-2016-4538,CVE-2016-4539,CVE-2016-4540,CVE-2016-4541,CVE-2016-4542,CVE-2016-4543,CVE-2016-4544 Sources used: openSUSE 13.2 (src): php5-5.6.1-61.1
released