Bug 999682 (CVE-2016-7411) - VUL-0: CVE-2016-7411: php5: Memory corruption when destructing deserialized object
Summary: VUL-0: CVE-2016-7411: php5: Memory corruption when destructing deserialized o...
Status: RESOLVED FIXED
Alias: CVE-2016-7411
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/172668/
Whiteboard: maint:running:63038:important CVSSv2:...
Keywords:
Depends on:
Blocks:
 
Reported: 2016-09-19 14:15 UTC by Victor Pereira
Modified: 2018-10-19 18:54 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2016-09-19 14:15:48 UTC 
rh#1377303

It was found that if object deserialization fails, object's properties will be cleaned, but the object will still remain stored in objects_store. When calling desctructor with uninitialized properties, memory corruption may happen.

Upstream bug:

https://bugs.php.net/bug.php?id=73052

Upstream patch:

https://github.com/php/php-src/commit/6a7cc8ff85827fa9ac715b3a83c2d9147f33cd43?w=1



References:
https://bugzilla.redhat.com/show_bug.cgi?id=1377303
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7411
http://seclists.org/oss-sec/2016/q3/518
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7411.html
http://www.cvedetails.com/cve/CVE-2016-7411/
Comment 1 Swamp Workflow Management 2016-09-19 22:02:04 UTC 
bugbot adjusting priority
Comment 2 Petr Gajdos 2016-09-21 13:37:17 UTC 
With 13.2 and 12 the sign of reproducing by 
  USE_ZEND_ALLOC=0 php test.php
is the segfault. Not the case of 11sp3 and 11 or 12/php7 (nor valgrind errors there).

As the code is not there in 12/php7 and the CVE was originally requested for php5 and not php7 in the opposite to other CVEs (http://www.openwall.com/lists/oss-security/2016/09/15/6), considering unaffected.

For 11sp3 and 11 the code is there, considering affected.
Comment 3 Bernhard Wiedemann 2016-09-23 10:01:04 UTC 
This is an autogenerated message for OBS integration:
This bug (999682) was mentioned in
https://build.opensuse.org/request/show/429748 13.2 / php5
https://build.opensuse.org/request/show/429753 13.2 / php5
Comment 5 Petr Gajdos 2016-09-23 11:16:06 UTC 
I believe all fixed.
Comment 7 Swamp Workflow Management 2016-10-04 14:10:50 UTC 
openSUSE-SU-2016:2444-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 999679,999680,999682,999684,999685,999819,999820
CVE References: CVE-2016-7411,CVE-2016-7412,CVE-2016-7413,CVE-2016-7414,CVE-2016-7416,CVE-2016-7417,CVE-2016-7418
Sources used:
openSUSE 13.2 (src):    php5-5.6.1-78.1
Comment 8 Swamp Workflow Management 2016-10-05 16:14:07 UTC 
SUSE-SU-2016:2459-1: An update that fixes 16 vulnerabilities is now available.

Category: security (important)
Bug References: 997206,997207,997208,997210,997211,997220,997225,997230,997257,999679,999680,999682,999684,999685,999819,999820
CVE References: CVE-2016-7124,CVE-2016-7125,CVE-2016-7126,CVE-2016-7127,CVE-2016-7128,CVE-2016-7129,CVE-2016-7130,CVE-2016-7131,CVE-2016-7132,CVE-2016-7411,CVE-2016-7412,CVE-2016-7413,CVE-2016-7414,CVE-2016-7416,CVE-2016-7417,CVE-2016-7418
Sources used:
SUSE OpenStack Cloud 5 (src):    php53-5.3.17-84.1
SUSE Manager Proxy 2.1 (src):    php53-5.3.17-84.1
SUSE Manager 2.1 (src):    php53-5.3.17-84.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    php53-5.3.17-84.1
SUSE Linux Enterprise Server 11-SP4 (src):    php53-5.3.17-84.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    php53-5.3.17-84.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    php53-5.3.17-84.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    php53-5.3.17-84.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    php53-5.3.17-84.1
Comment 9 Swamp Workflow Management 2016-10-05 23:08:57 UTC 
SUSE-SU-2016:2461-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 999679,999680,999682,999684,999685,999819,999820
CVE References: CVE-2016-7411,CVE-2016-7412,CVE-2016-7413,CVE-2016-7414,CVE-2016-7416,CVE-2016-7417,CVE-2016-7418
Sources used:
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    php53-5.3.17-58.1
SUSE Linux Enterprise Debuginfo 11-SP2 (src):    php53-5.3.17-58.1
Comment 10 Swamp Workflow Management 2016-10-07 19:13:16 UTC 
SUSE-SU-2016:2477-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 999679,999680,999682,999684,999685,999819,999820
CVE References: CVE-2016-7411,CVE-2016-7412,CVE-2016-7413,CVE-2016-7414,CVE-2016-7416,CVE-2016-7417,CVE-2016-7418
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    php5-5.5.14-78.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php5-5.5.14-78.1
Comment 11 Swamp Workflow Management 2016-10-14 14:12:04 UTC 
openSUSE-SU-2016:2540-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 999679,999680,999682,999684,999685,999819,999820
CVE References: CVE-2016-7411,CVE-2016-7412,CVE-2016-7413,CVE-2016-7414,CVE-2016-7416,CVE-2016-7417,CVE-2016-7418
Sources used:
openSUSE Leap 42.1 (src):    php5-5.5.14-62.1
Comment 12 Marcus Meissner 2016-10-31 08:42:52 UTC 
released
Comment 13 Swamp Workflow Management 2016-11-01 15:07:48 UTC 
SUSE-SU-2016:2477-2: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 999679,999680,999682,999684,999685,999819,999820
CVE References: CVE-2016-7411,CVE-2016-7412,CVE-2016-7413,CVE-2016-7414,CVE-2016-7416,CVE-2016-7417,CVE-2016-7418
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php5-5.5.14-78.1