Bugzilla – Bug 995512
VUL-0: CVE-2016-4473: php5,php7,php53: Invalid free() instead of efree() in phar_extract_file()
Last modified: 2016-11-23 17:18:51 UTC
CVE-2016-4473 https://bugs.php.net/bug.php?id=72321 An invalid free (assigned CVE-2016-4473) may occur under certain conditions when processing phar-compatible archives in php 5.6.22, 7.0.7 and git head: References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4473 http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4473.html
Created attachment 689443 [details] mkzip.py QA REPRODUCER: python mkzip.py for creating 1.zip and 2.zip to be used in next comment.
Created attachment 689445 [details] phar.php QA REPRODUCER: ( rm -rf foobar ) php phar.php foobar 1.zip 2.zip should lead to crash.
(This did not reproduce for me on Tumbleweed with php7 and on 13.2 with php 5.6)
bugbot adjusting priority
malloc/free and emalloc/efree needs to be used consistently. It is not used so only for 12sp2/php7, no other version we support is affected.
BEFORE $ php phar.php foobar 1.zip 2.zip PHP Warning: PharData::extractTo(): Not a directory in /995512/phar.php on line 14 *** Error in `php': free(): invalid pointer: 0x00007feabaa680c0 *** ======= Backtrace: ========= [...] ======= Memory map: ======== Aborted (core dumped) $ AFTER $ php phar.php foobar 1.zip 2.zip PHP Warning: PharData::extractTo(): Not a directory in /995512/phar.php on line 14 NOTE: Extraction from phar "/995512/2.zip" failed: Cannot extract "AAAAAAAAxxxxBBBBCCCCCCCCxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/b/c", could not create directory "foobar/AAAAAAAAxxxxBBBBCCCCCCCCxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/b" $ The correct output in 'AFTER' I get also for 11sp3 and 12.
Packages submitted.
done
SUSE-SU-2016:2460-1: An update that solves 29 vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 1001950,987580,988032,991422,991424,991426,991427,991428,991429,991430,991434,991437,995512,997206,997207,997208,997210,997211,997220,997225,997230,997247,997248,997257,999313,999679,999680,999684,999685,999819,999820 CVE References: CVE-2016-4473,CVE-2016-5399,CVE-2016-6128,CVE-2016-6161,CVE-2016-6207,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6292,CVE-2016-6295,CVE-2016-6296,CVE-2016-6297,CVE-2016-7124,CVE-2016-7125,CVE-2016-7126,CVE-2016-7127,CVE-2016-7128,CVE-2016-7129,CVE-2016-7130,CVE-2016-7131,CVE-2016-7132,CVE-2016-7133,CVE-2016-7134,CVE-2016-7412,CVE-2016-7413,CVE-2016-7414,CVE-2016-7416,CVE-2016-7417,CVE-2016-7418 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): php7-7.0.7-15.1 SUSE Linux Enterprise Module for Web Scripting 12 (src): php7-7.0.7-15.1
SUSE-SU-2016:2460-2: An update that solves 29 vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 1001950,987580,988032,991422,991424,991426,991427,991428,991429,991430,991434,991437,995512,997206,997207,997208,997210,997211,997220,997225,997230,997247,997248,997257,999313,999679,999680,999684,999685,999819,999820 CVE References: CVE-2016-4473,CVE-2016-5399,CVE-2016-6128,CVE-2016-6161,CVE-2016-6207,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6292,CVE-2016-6295,CVE-2016-6296,CVE-2016-6297,CVE-2016-7124,CVE-2016-7125,CVE-2016-7126,CVE-2016-7127,CVE-2016-7128,CVE-2016-7129,CVE-2016-7130,CVE-2016-7131,CVE-2016-7132,CVE-2016-7133,CVE-2016-7134,CVE-2016-7412,CVE-2016-7413,CVE-2016-7414,CVE-2016-7416,CVE-2016-7417,CVE-2016-7418 Sources used: SUSE Linux Enterprise Module for Web Scripting 12 (src): php7-7.0.7-15.1