Bug 986247 (CVE-2016-5773) - VUL-0: CVE-2016-5773: php5,php53: ZipArchive class Use After Free Vulnerability in PHP's GC algorithm and unserialize
Summary: VUL-0: CVE-2016-5773: php5,php53: ZipArchive class Use After Free Vulnerabili...
Status: RESOLVED FIXED
Alias: CVE-2016-5773
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Normal
Target Milestone: ---
Deadline: 2017-02-13
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/170459/
Whiteboard: CVSSv2:SUSE:CVE-2016-5773:4.4:(AV:L/A...
Keywords:
Depends on:
Blocks:
 
Reported: 2016-06-23 13:39 UTC by Marcus Meissner
Modified: 2019-07-04 05:37 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
xx.php (841 bytes, application/x-php)
2016-06-24 09:33 UTC, Marcus Meissner 		Details
dirty approach to fix this in php 5.3 (1.24 KB, patch)
2018-02-01 16:01 UTC, Matthias Gerstner 		Details | Diff
clean approach to fix this in php 5.3 (3.81 KB, patch)
2018-02-01 16:01 UTC, Matthias Gerstner 		Details | Diff
ABI compatible fix (6.17 KB, patch)
2018-02-06 10:42 UTC, Matthias Gerstner 		Details | Diff
testcase modified by Matthias Gerstner (927 bytes, application/x-php)
2018-02-06 17:47 UTC, Petr Gajdos 		Details
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2016-06-23 13:39:48 UTC 
http://seclists.org/oss-sec/2016/q2/589

    - zip:
        Fixed bug #72434 (ZipArchive class Use After Free Vulnerability in PHP's GC
        algorithm and unserialize). (Dmitry)

    https://bugs.php.net/bug.php?id=72434
    http://git.php.net/?p=php-src.git;a=commitdiff;h=f6aef68089221c5ea047d4a74224ee3deead99a6


Use CVE-2016-5773. Note that, unlike bug #72433, this does affect PHP 7.x.
Comment 1 Swamp Workflow Management 2016-06-23 22:00:35 UTC 
bugbot adjusting priority
Comment 2 Marcus Meissner 2016-06-24 09:33:11 UTC 
Created attachment 682008 [details]
xx.php

QA REPRODUCER:

php xx.php

should return
array(1) refcount(1){
  [0]=>
  object(stdClass)#3 (0) refcount(3){
  }
}

I think
Comment 3 Petr Gajdos 2016-06-28 07:42:58 UTC 
Not sure how the testcase should work.
Comment 4 Petr Gajdos 2016-06-28 14:01:11 UTC 
Fixed in 13.2/php5 and 12/php5.
Comment 5 Marcus Meissner 2016-06-28 16:07:16 UTC 
The behaviour seems to trigger for php 5.3

As Petr found, the garbage collection hooks work differently.

was checking the sources
Comment 6 Petr Gajdos 2016-06-29 08:03:04 UTC 
(In reply to Marcus Meissner from comment #5)
> The behaviour seems to trigger for php 5.3

Actually, not for me. I get

$ php xx.php
array(1) refcount(1){
  [0]=>
  object(stdClass)#3 (0) refcount(3){
  }
}

$

which is the exact expected output from the test, as far as I can see. Without patching anything.

> As Petr found, the garbage collection hooks work differently.
> 
> was checking the sources

Will submit now without the fix for 5.3. Please reassign back to me as soon as the release happens, if you still want to fix this for 5.3.
Comment 7 Petr Gajdos 2016-06-29 08:20:46 UTC 
(see also bug 986391)
Comment 8 Petr Gajdos 2016-06-29 08:40:10 UTC 
Packages submitted.
Comment 9 Bernhard Wiedemann 2016-06-29 10:00:32 UTC 
This is an autogenerated message for OBS integration:
This bug (986247) was mentioned in
https://build.opensuse.org/request/show/405425 13.2 / php5
Comment 10 Petr Gajdos 2016-06-29 10:42:20 UTC 
(In reply to Petr Gajdos from comment #6)
> (In reply to Marcus Meissner from comment #5)
> > The behaviour seems to trigger for php 5.3
> 
> Actually, not for me. I get

Sorry, obvious mistake, forgot to install php5-zip. Now I get

$ php xx.php
string(13) "filler_zval_2" refcount(2)
$

even for php53, yes. Thanks Marcus.
Comment 11 Bernhard Wiedemann 2016-06-29 14:03:08 UTC 
This is an autogenerated message for OBS integration:
This bug (986247) was mentioned in
https://build.opensuse.org/request/show/405458 13.2 / php5
Comment 12 Swamp Workflow Management 2016-07-07 16:08:58 UTC 
openSUSE-SU-2016:1761-1: An update that fixes 9 vulnerabilities is now available.

Category: security (important)
Bug References: 986004,986244,986246,986247,986386,986388,986391,986392,986393
CVE References: CVE-2015-8935,CVE-2016-5766,CVE-2016-5767,CVE-2016-5768,CVE-2016-5769,CVE-2016-5770,CVE-2016-5771,CVE-2016-5772,CVE-2016-5773
Sources used:
openSUSE 13.2 (src):    php5-5.6.1-69.1
Comment 13 Marcus Meissner 2016-08-01 11:16:01 UTC 
(not fixed yet for sle11/sle12)
Comment 14 Petr Gajdos 2016-11-07 10:05:25 UTC 
Actually, sle12 is fixed (php-CVE-2016-5773.patch), just changelog entry was missing.
Comment 15 Petr Gajdos 2016-11-07 14:25:35 UTC 
P4 for sle11.
Comment 18 Swamp Workflow Management 2016-12-02 15:14:20 UTC 
SUSE-SU-2016:2975-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1008029,986247
CVE References: CVE-2016-5773,CVE-2016-9137
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    imap-2007e_suse-22.1
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    imap-2007e_suse-22.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    imap-2007e_suse-22.1, php5-5.5.14-86.2
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    imap-2007e_suse-22.1, php5-5.5.14-86.2
SUSE Linux Enterprise Module for Web Scripting 12 (src):    imap-2007e_suse-22.1, php5-5.5.14-86.2
SUSE Linux Enterprise Desktop 12-SP2 (src):    imap-2007e_suse-22.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    imap-2007e_suse-22.1
Comment 19 Swamp Workflow Management 2016-12-12 18:09:23 UTC 
openSUSE-SU-2016:3095-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1008029,986247
CVE References: CVE-2016-5773,CVE-2016-9137
Sources used:
openSUSE Leap 42.2 (src):    php5-5.5.14-69.1
openSUSE Leap 42.1 (src):    php5-5.5.14-68.3
Comment 20 Marcus Meissner 2016-12-22 13:18:22 UTC 
released
Comment 21 Swamp Workflow Management 2017-01-30 13:28:23 UTC 
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2017-02-13.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63367
Comment 27 Matthias Gerstner 2018-02-01 16:01:07 UTC 
Created attachment 758442 [details]
dirty approach to fix this in php 5.3
Comment 28 Matthias Gerstner 2018-02-01 16:01:38 UTC 
Created attachment 758443 [details]
clean approach to fix this in php 5.3
Comment 29 Matthias Gerstner 2018-02-01 16:06:41 UTC 
So here it goes. I have two different patches with two different approaches to fix this issue in php 5.3:

- attachment 758442 [details] contains the "dirty" but simple approach. It does not change any data structures. Since it compares a class name by string it might influence performance a little. Also it will not extend so well should we need more similar patches in the future.

- attachement 758443 contains the "clean" but a bit more complex approach. It introduces parts of the "get_gc" method infrastructure as found in php 5.4 onwards. This requires to extended global data structures and it's difficult to say if this has any side effects I'm not aware of. It is better for performance and can be extended easily should we need more similar patches in the future.

I've tested both patches and the reproducer does not trigger any more. Valgrind runs through cleanly. Please review and decide which patch to take :-)
Comment 30 Matthias Gerstner 2018-02-06 10:42:43 UTC 
Created attachment 758972 [details]
ABI compatible fix
Comment 31 Matthias Gerstner 2018-02-06 10:45:43 UTC 
Since the previous "clean" patch variant was not ABI compatible and the "dirty" patch was not good enough to support the fix of bug 986391 I've devised a new patch for this issue.

In attachment 758972 [details] you can find the new ABI compatible fix for php 5.3. The major difference to the previous "clean" patch is that we're misusing the get_closure handler field to mark extensions that support the extended global handlers structure.
Comment 32 Petr Gajdos 2018-02-06 17:47:16 UTC 
Created attachment 759080 [details]
testcase modified by Matthias Gerstner
Comment 33 Petr Gajdos 2018-02-06 18:49:28 UTC 
BEFORE

$ php xx_sle11.php 
No entry for terminal type "rxvt-unicode";
using dumb terminal settings.
array(1) refcount(1){
  [0]=>
  object(stdClass)#3 (0) refcount(2){
  }
}
string(0) "" refcount(1)
Segmentation fault (core dumped)
$

AFTER

$ php xx_sle11.php 
array(1) refcount(1){
  [0]=>
  object(stdClass)#3 (0) refcount(2){
  }
}
array(1) refcount(1){
  [0]=>
  object(stdClass)#3 (0) refcount(2){
  }
}
array(1) refcount(1){
  [0]=>
  object(stdClass)#3 (0) refcount(3){
  }
}
$
Comment 34 Petr Gajdos 2018-02-06 19:13:40 UTC 
Packages submitted.
Thanks Matthias.
Comment 38 Swamp Workflow Management 2018-03-26 13:09:02 UTC 
SUSE-SU-2018:0806-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 1076220,1076391,1080234,1083639,986247,986391
CVE References: CVE-2016-10712,CVE-2016-5771,CVE-2016-5773,CVE-2018-5711,CVE-2018-5712,CVE-2018-7584
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    php53-5.3.17-112.20.1
SUSE Linux Enterprise Server 11-SP4 (src):    php53-5.3.17-112.20.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    php53-5.3.17-112.20.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    php53-5.3.17-112.20.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    php53-5.3.17-112.20.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    php53-5.3.17-112.20.1
Comment 39 Marcus Meissner 2019-07-04 05:37:04 UTC 
done