Bugzilla – Bug 999684
VUL-0: CVE-2016-7417: php5, php7: Missing type check when unserializing SplArray
Last modified: 2019-06-16 14:37:48 UTC
rh#1377344 It was found that the return value is not checked and used on spl_array_get_dimension_ptr_ptr. Vulnerable code: static zval **spl_array_get_dimension_ptr_ptr(int check_inherited, zval *object, zval *offset, int type TSRMLS_DC) /* {{{ */ { .... HashTable *ht = spl_array_get_hash_table(intern, 0 TSRMLS_CC); <--- here is no check ht with NULL } Upstream bug: https://bugs.php.net/bug.php?id=73029 Upstream patch: https://github.com/php/php-src/commit/ecb7f58a069be0dec4a6131b6351a761f808f22e?w=1 References: https://bugzilla.redhat.com/show_bug.cgi?id=1377344 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7417 http://seclists.org/oss-sec/2016/q3/518 http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7417.html http://www.cvedetails.com/cve/CVE-2016-7417/
bugbot adjusting priority
Test script: --------------- <?php $a = 'C:11:"ArrayObject":19:0x:i:0;r:2;;m:a:0:{}}'; $m = unserialize($a); $x = $m[2]; ?> Expected result: ---------------- No crash Actual result: -------------- $ gdb /data/php-src-PHP-5.6.26/sapi/cli/php GNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.2) 7.7.1 (gdb) r se.php Starting program: /data/php-src-PHP-5.6.26/sapi/cli/php se.php [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. 0x0000000000ac08e3 in _zend_is_inconsistent (ht=0x0, file=0x10d3b78 "/data/php-src-PHP-5.6.26/Zend/zend_hash.c", line=938) at /data/php-src-PHP-5.6.26/Zend/zend_hash.c:60 60 if (ht->inconsistent==HT_OK) { (gdb) bt #0 0x0000000000ac08e3 in _zend_is_inconsistent (ht=0x0, file=0x10d3b78 "/data/php-src-PHP-5.6.26/Zend/zend_hash.c", line=938) at /data/php-src-PHP-5.6.26/Zend/zend_hash.c:60 #1 0x0000000000ac3625 in zend_hash_index_find (ht=0x0, h=2, pData=0x7fffffffaaf0) at /data/php-src-PHP-5.6.26/Zend/zend_hash.c:938 #2 0x000000000089621a in spl_array_get_dimension_ptr_ptr (check_inherited=1, object=0x7ffff7fc50b8, offset=0x7ffff7fc7940, type=0) at /data/php-src-PHP-5.6.26/ext/spl/spl_array.c:357 #3 0x000000000089664b in spl_array_read_dimension_ex (check_inherited=1, object=0x7ffff7fc50b8, offset=0x7ffff7fc7940, type=0) at /data/php-src-PHP-5.6.26/ext/spl/spl_array.c:406 #4 0x000000000089679b in spl_array_read_dimension (object=0x7ffff7fc50b8, offset=0x7ffff7fc7940, type=0) at /data/php-src-PHP-5.6.26/ext/spl/spl_array.c:434 #5 0x0000000000af40b6 in zend_fetch_dimension_address_read (result=0x7ffff7f901e0, container=0x7ffff7fc50b8, dim=0x7ffff7fc7940, dim_type=1, type=0) at /data/php-src-PHP-5.6.26/Zend/zend_execute.c:1364 #6 0x0000000000b4ae0a in ZEND_FETCH_DIM_R_SPEC_CV_CONST_HANDLER (execute_data=0x7ffff7f90260) at /data/php-src-PHP-5.6.26/Zend/zend_vm_execute.h:32849 #7 0x0000000000af5196 in execute_ex (execute_data=0x7ffff7f90260) at /data/php-src-PHP-5.6.26/Zend/zend_vm_execute.h:363 #8 0x0000000000af521f in zend_execute (op_array=0x7ffff7fc5fd8) at /data/php-src-PHP-5.6.26/Zend/zend_vm_execute.h:388 #9 0x0000000000ab0372 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /data/php-src-PHP-5.6.26/Zend/zend.c:1341 #10 0x0000000000a15aa2 in php_execute_script (primary_file=0x7fffffffd200) at /data/php-src-PHP-5.6.26/main/main.c:2613 #11 0x0000000000b64a18 in do_cli (argc=2, argv=0x1460a90) at /data/php-src-PHP-5.6.26/sapi/cli/php_cli.c:994 #12 0x0000000000b65d71 in main (argc=2, argv=0x1460a90) at /data/php-src-PHP-5.6.26/sapi/cli/php_cli.c:1378
Testcase segfaults for php7 and 12/php5, not for 11sp3/php53 (nor valgrind errors there); it might be because that the patch is partly there, see spl_array_unserialize_helper(). For 11/php5, there is no SPL_METHOD(Array, unserialize).
This is an autogenerated message for OBS integration: This bug (999684) was mentioned in https://build.opensuse.org/request/show/429748 13.2 / php5 https://build.opensuse.org/request/show/429753 13.2 / php5
I believe all fixed.
openSUSE-SU-2016:2444-1: An update that fixes 7 vulnerabilities is now available. Category: security (important) Bug References: 999679,999680,999682,999684,999685,999819,999820 CVE References: CVE-2016-7411,CVE-2016-7412,CVE-2016-7413,CVE-2016-7414,CVE-2016-7416,CVE-2016-7417,CVE-2016-7418 Sources used: openSUSE 13.2 (src): php5-5.6.1-78.1
SUSE-SU-2016:2459-1: An update that fixes 16 vulnerabilities is now available. Category: security (important) Bug References: 997206,997207,997208,997210,997211,997220,997225,997230,997257,999679,999680,999682,999684,999685,999819,999820 CVE References: CVE-2016-7124,CVE-2016-7125,CVE-2016-7126,CVE-2016-7127,CVE-2016-7128,CVE-2016-7129,CVE-2016-7130,CVE-2016-7131,CVE-2016-7132,CVE-2016-7411,CVE-2016-7412,CVE-2016-7413,CVE-2016-7414,CVE-2016-7416,CVE-2016-7417,CVE-2016-7418 Sources used: SUSE OpenStack Cloud 5 (src): php53-5.3.17-84.1 SUSE Manager Proxy 2.1 (src): php53-5.3.17-84.1 SUSE Manager 2.1 (src): php53-5.3.17-84.1 SUSE Linux Enterprise Software Development Kit 11-SP4 (src): php53-5.3.17-84.1 SUSE Linux Enterprise Server 11-SP4 (src): php53-5.3.17-84.1 SUSE Linux Enterprise Server 11-SP3-LTSS (src): php53-5.3.17-84.1 SUSE Linux Enterprise Point of Sale 11-SP3 (src): php53-5.3.17-84.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): php53-5.3.17-84.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): php53-5.3.17-84.1
SUSE-SU-2016:2460-1: An update that solves 29 vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 1001950,987580,988032,991422,991424,991426,991427,991428,991429,991430,991434,991437,995512,997206,997207,997208,997210,997211,997220,997225,997230,997247,997248,997257,999313,999679,999680,999684,999685,999819,999820 CVE References: CVE-2016-4473,CVE-2016-5399,CVE-2016-6128,CVE-2016-6161,CVE-2016-6207,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6292,CVE-2016-6295,CVE-2016-6296,CVE-2016-6297,CVE-2016-7124,CVE-2016-7125,CVE-2016-7126,CVE-2016-7127,CVE-2016-7128,CVE-2016-7129,CVE-2016-7130,CVE-2016-7131,CVE-2016-7132,CVE-2016-7133,CVE-2016-7134,CVE-2016-7412,CVE-2016-7413,CVE-2016-7414,CVE-2016-7416,CVE-2016-7417,CVE-2016-7418 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): php7-7.0.7-15.1 SUSE Linux Enterprise Module for Web Scripting 12 (src): php7-7.0.7-15.1
SUSE-SU-2016:2461-1: An update that fixes 7 vulnerabilities is now available. Category: security (important) Bug References: 999679,999680,999682,999684,999685,999819,999820 CVE References: CVE-2016-7411,CVE-2016-7412,CVE-2016-7413,CVE-2016-7414,CVE-2016-7416,CVE-2016-7417,CVE-2016-7418 Sources used: SUSE Linux Enterprise Server 11-SP2-LTSS (src): php53-5.3.17-58.1 SUSE Linux Enterprise Debuginfo 11-SP2 (src): php53-5.3.17-58.1
SUSE-SU-2016:2477-1: An update that fixes 7 vulnerabilities is now available. Category: security (important) Bug References: 999679,999680,999682,999684,999685,999819,999820 CVE References: CVE-2016-7411,CVE-2016-7412,CVE-2016-7413,CVE-2016-7414,CVE-2016-7416,CVE-2016-7417,CVE-2016-7418 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): php5-5.5.14-78.1 SUSE Linux Enterprise Module for Web Scripting 12 (src): php5-5.5.14-78.1
openSUSE-SU-2016:2540-1: An update that fixes 7 vulnerabilities is now available. Category: security (important) Bug References: 999679,999680,999682,999684,999685,999819,999820 CVE References: CVE-2016-7411,CVE-2016-7412,CVE-2016-7413,CVE-2016-7414,CVE-2016-7416,CVE-2016-7417,CVE-2016-7418 Sources used: openSUSE Leap 42.1 (src): php5-5.5.14-62.1
released
SUSE-SU-2016:2477-2: An update that fixes 7 vulnerabilities is now available. Category: security (important) Bug References: 999679,999680,999682,999684,999685,999819,999820 CVE References: CVE-2016-7411,CVE-2016-7412,CVE-2016-7413,CVE-2016-7414,CVE-2016-7416,CVE-2016-7417,CVE-2016-7418 Sources used: SUSE Linux Enterprise Module for Web Scripting 12 (src): php5-5.5.14-78.1
SUSE-SU-2016:2460-2: An update that solves 29 vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 1001950,987580,988032,991422,991424,991426,991427,991428,991429,991430,991434,991437,995512,997206,997207,997208,997210,997211,997220,997225,997230,997247,997248,997257,999313,999679,999680,999684,999685,999819,999820 CVE References: CVE-2016-4473,CVE-2016-5399,CVE-2016-6128,CVE-2016-6161,CVE-2016-6207,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6292,CVE-2016-6295,CVE-2016-6296,CVE-2016-6297,CVE-2016-7124,CVE-2016-7125,CVE-2016-7126,CVE-2016-7127,CVE-2016-7128,CVE-2016-7129,CVE-2016-7130,CVE-2016-7131,CVE-2016-7132,CVE-2016-7133,CVE-2016-7134,CVE-2016-7412,CVE-2016-7413,CVE-2016-7414,CVE-2016-7416,CVE-2016-7417,CVE-2016-7418 Sources used: SUSE Linux Enterprise Module for Web Scripting 12 (src): php7-7.0.7-15.1