999679 – (CVE-2016-7413) VUL-0: CVE-2016-7413: php5, php53, php7: Use after free in wddx_deserialize

Bug 999679 (CVE-2016-7413) - VUL-0: CVE-2016-7413: php5, php53, php7: Use after free in wddx_deserialize

Summary: VUL-0: CVE-2016-7413: php5, php53, php7: Use after free in wddx_deserialize

Status:	RESOLVED FIXED

Alias:	CVE-2016-7413

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/172670/
Whiteboard:	maint:running:63038:important CVSSv2:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2016-09-19 14:09 UTC by Victor Pereira
Modified:	2017-05-10 18:52 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Victor Pereira 2016-09-19 14:09:34 UTC

rh#1377314

It was discovered that when WDDX tries to deserialize "recordset" element, use after free happens if close tag for the field is not found. This happens only when field names are set.

Upstream bug:

https://bugs.php.net/bug.php?id=72860

Upstream patch:

https://github.com/php/php-src/commit/b88393f08a558eec14964a55d3c680fe67407712?w=1


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1377314
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7413
http://seclists.org/oss-sec/2016/q3/518
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7413.html
http://www.cvedetails.com/cve/CVE-2016-7413/

Comment 1 Swamp Workflow Management 2016-09-19 22:01:46 UTC

bugbot adjusting priority

Comment 2 Petr Gajdos 2016-09-22 15:21:44 UTC

The segfault was visible on 12/php7 and 11sp3/php53. Otherwise I have seen valgrind errors with: USE_ZEND_ALLOC=0 valgrind php test.php

All versions 12/php7 to 11/php5 are affected.

Comment 3 Bernhard Wiedemann 2016-09-23 10:00:38 UTC

This is an autogenerated message for OBS integration:
This bug (999679) was mentioned in
https://build.opensuse.org/request/show/429748 13.2 / php5
https://build.opensuse.org/request/show/429753 13.2 / php5

Comment 5 Petr Gajdos 2016-09-23 11:16:09 UTC

I believe all fixed.

Comment 8 Swamp Workflow Management 2016-10-04 14:10:32 UTC

openSUSE-SU-2016:2444-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 999679,999680,999682,999684,999685,999819,999820
CVE References: CVE-2016-7411,CVE-2016-7412,CVE-2016-7413,CVE-2016-7414,CVE-2016-7416,CVE-2016-7417,CVE-2016-7418
Sources used:
openSUSE 13.2 (src):    php5-5.6.1-78.1

Comment 9 Swamp Workflow Management 2016-10-05 16:13:50 UTC

SUSE-SU-2016:2459-1: An update that fixes 16 vulnerabilities is now available.

Category: security (important)
Bug References: 997206,997207,997208,997210,997211,997220,997225,997230,997257,999679,999680,999682,999684,999685,999819,999820
CVE References: CVE-2016-7124,CVE-2016-7125,CVE-2016-7126,CVE-2016-7127,CVE-2016-7128,CVE-2016-7129,CVE-2016-7130,CVE-2016-7131,CVE-2016-7132,CVE-2016-7411,CVE-2016-7412,CVE-2016-7413,CVE-2016-7414,CVE-2016-7416,CVE-2016-7417,CVE-2016-7418
Sources used:
SUSE OpenStack Cloud 5 (src):    php53-5.3.17-84.1
SUSE Manager Proxy 2.1 (src):    php53-5.3.17-84.1
SUSE Manager 2.1 (src):    php53-5.3.17-84.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    php53-5.3.17-84.1
SUSE Linux Enterprise Server 11-SP4 (src):    php53-5.3.17-84.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    php53-5.3.17-84.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    php53-5.3.17-84.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    php53-5.3.17-84.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    php53-5.3.17-84.1

Comment 10 Swamp Workflow Management 2016-10-05 19:12:51 UTC

SUSE-SU-2016:2460-1: An update that solves 29 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1001950,987580,988032,991422,991424,991426,991427,991428,991429,991430,991434,991437,995512,997206,997207,997208,997210,997211,997220,997225,997230,997247,997248,997257,999313,999679,999680,999684,999685,999819,999820
CVE References: CVE-2016-4473,CVE-2016-5399,CVE-2016-6128,CVE-2016-6161,CVE-2016-6207,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6292,CVE-2016-6295,CVE-2016-6296,CVE-2016-6297,CVE-2016-7124,CVE-2016-7125,CVE-2016-7126,CVE-2016-7127,CVE-2016-7128,CVE-2016-7129,CVE-2016-7130,CVE-2016-7131,CVE-2016-7132,CVE-2016-7133,CVE-2016-7134,CVE-2016-7412,CVE-2016-7413,CVE-2016-7414,CVE-2016-7416,CVE-2016-7417,CVE-2016-7418
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    php7-7.0.7-15.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php7-7.0.7-15.1

Comment 11 Swamp Workflow Management 2016-10-05 23:08:40 UTC

SUSE-SU-2016:2461-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 999679,999680,999682,999684,999685,999819,999820
CVE References: CVE-2016-7411,CVE-2016-7412,CVE-2016-7413,CVE-2016-7414,CVE-2016-7416,CVE-2016-7417,CVE-2016-7418
Sources used:
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    php53-5.3.17-58.1
SUSE Linux Enterprise Debuginfo 11-SP2 (src):    php53-5.3.17-58.1

Comment 12 Swamp Workflow Management 2016-10-07 19:12:59 UTC

SUSE-SU-2016:2477-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 999679,999680,999682,999684,999685,999819,999820
CVE References: CVE-2016-7411,CVE-2016-7412,CVE-2016-7413,CVE-2016-7414,CVE-2016-7416,CVE-2016-7417,CVE-2016-7418
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    php5-5.5.14-78.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php5-5.5.14-78.1

Comment 13 Swamp Workflow Management 2016-10-14 14:11:44 UTC

openSUSE-SU-2016:2540-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 999679,999680,999682,999684,999685,999819,999820
CVE References: CVE-2016-7411,CVE-2016-7412,CVE-2016-7413,CVE-2016-7414,CVE-2016-7416,CVE-2016-7417,CVE-2016-7418
Sources used:
openSUSE Leap 42.1 (src):    php5-5.5.14-62.1

Comment 14 Marcus Meissner 2016-10-31 08:40:10 UTC

released

Comment 15 Swamp Workflow Management 2016-11-01 15:07:27 UTC

SUSE-SU-2016:2477-2: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 999679,999680,999682,999684,999685,999819,999820
CVE References: CVE-2016-7411,CVE-2016-7412,CVE-2016-7413,CVE-2016-7414,CVE-2016-7416,CVE-2016-7417,CVE-2016-7418
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php5-5.5.14-78.1

Comment 16 Swamp Workflow Management 2016-11-01 15:25:47 UTC

SUSE-SU-2016:2460-2: An update that solves 29 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1001950,987580,988032,991422,991424,991426,991427,991428,991429,991430,991434,991437,995512,997206,997207,997208,997210,997211,997220,997225,997230,997247,997248,997257,999313,999679,999680,999684,999685,999819,999820
CVE References: CVE-2016-4473,CVE-2016-5399,CVE-2016-6128,CVE-2016-6161,CVE-2016-6207,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6292,CVE-2016-6295,CVE-2016-6296,CVE-2016-6297,CVE-2016-7124,CVE-2016-7125,CVE-2016-7126,CVE-2016-7127,CVE-2016-7128,CVE-2016-7129,CVE-2016-7130,CVE-2016-7131,CVE-2016-7132,CVE-2016-7133,CVE-2016-7134,CVE-2016-7412,CVE-2016-7413,CVE-2016-7414,CVE-2016-7416,CVE-2016-7417,CVE-2016-7418
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php7-7.0.7-15.1