Bugzilla – Bug 1182049
VUL-0: CVE-2021-21702: php53,php74,php7,php72,php5: php: NULL pointer dereference in SoapClient
Last modified: 2024-05-30 18:58:28 UTC
CVE-2021-21702 Missing check in node_is_equal_ex function in ext/soap/php_xml.c leads to a NULL pointer dereference. Reference: https://bugs.php.net/bug.php?id=80672 References: https://bugzilla.redhat.com/show_bug.cgi?id=1925272 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21702 https://access.redhat.com/security/cve/CVE-2021-21702
Created attachment 845970 [details] POC (contains two files)
QA reproducer: a fixed version should not segfault. make sure that you have the two file in the same directory valgrind a.php ==24095== Process terminating with default action of signal 11 (SIGSEGV): dumping core ==24095== Access not within mapped region at address 0x0 ==24095== at 0x6955200: __strcmp_sse2_unaligned (in /lib64/libc-2.26.so) ==24095== by 0xB981299: node_is_equal_ex (php_xml.c:218) ==24095== by 0xB97CF24: load_wsdl_ex (php_sdl.c:371) ==24095== by 0xB97D702: load_wsdl (php_sdl.c:742) ==24095== by 0xB97F1E4: get_sdl (php_sdl.c:3319) ==24095== by 0xB94735E: zim_SoapClient_SoapClient (soap.c:2485) ==24095== by 0x7DBEDC: ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:1618) ==24095== by 0x7DBEDC: execute_ex (zend_vm_execute.h:53826) ==24095== by 0x7DDD91: zend_execute (zend_vm_execute.h:57922) ==24095== by 0x743D4F: zend_execute_scripts (zend.c:1666) ==24095== by 0x6D630F: php_execute_script (main.c:2617) ==24095== by 0x7E041E: do_cli (php_cli.c:961) ==24095== by 0x5647C5: main (php_cli.c:1356) ==24095== If you believe this happened as a result of a stack ==24095== overflow in your program's main thread (unlikely but ==24095== possible), you can try to increase the size of the ==24095== main thread stack using the --main-stacksize= flag. ==24095== The main thread stack size used in this run was 8388608.
to reproduce it php{5,7}-soap needs to be installed. Reproduced successfully in php74,php7,php72,php53. Failed to reproduce in php5 in SLE11 but the patch seems applicable. Tracked as affected: php5: SLE11 php53: SLE11-SP3 php7: SLE12,SLE15,SLE15-SP2 php72: SLE12 php74: SLE12 Fix at [1] [1] http://git.php.net/?p=php-src.git;a=commit;h=3c939e3f69955d087e0bb671868f7267dfb2a502
I agree with analysis comment 3, aside that it is reproducible with 11/php5 as well in case you drop usage of __DIR__: --- /abuild/php53-11sp3/182049/a.php 2021-02-11 09:20:40.016243446 +0100 +++ /abuild/php5-11/182049/a.php 2021-02-11 09:26:08.094238243 +0100 @@ -1,6 +1,6 @@ <?php try { - $client = new SoapClient(__DIR__ . "/bug80672.xml"); + $client = new SoapClient("bug80672.xml"); $query = $soap->query(array('sXML' => 'something')); } catch(SoapFault $e) { print $e->getMessage(); BEFORE For all versions I get: $ php a.php Segmentation fault (core dumped) $ PATCH referenced in comment 3 AFTER For all versions I get: # php a.php SOAP-ERROR: Parsing WSDL: Unexpected WSDL element <>#
Packages 15sp2/php7, 15/php7, 12/php74, 12/php72, 11sp3/php53 and 11/php5 submitted.
SUSE-SU-2021:0494-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1182049 CVE References: CVE-2021-21702 JIRA References: Sources used: SUSE Linux Enterprise Module for Web Scripting 15-SP2 (src): php7-7.4.6-3.17.1 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 (src): php7-7.4.6-3.17.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:0498-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1182049 CVE References: CVE-2021-21702 JIRA References: Sources used: SUSE Linux Enterprise Software Development Kit 12-SP5 (src): php72-7.2.5-1.60.1 SUSE Linux Enterprise Module for Web Scripting 12 (src): php72-7.2.5-1.60.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:0305-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1182049 CVE References: CVE-2021-21702 JIRA References: Sources used: openSUSE Leap 15.2 (src): php7-7.4.6-lp152.2.15.1, php7-test-7.4.6-lp152.2.15.1
SUSE-SU-2021:0522-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1182049 CVE References: CVE-2021-21702 JIRA References: Sources used: SUSE Linux Enterprise Software Development Kit 12-SP5 (src): php74-7.4.6-1.19.1 SUSE Linux Enterprise Module for Web Scripting 12 (src): php74-7.4.6-1.19.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
I am testing php53 update (SUSE:Maintenance:18241:236106), it seems there is a regression after test_php53-run (from package qa_test_php53-5.3.29-qa.4.15): http://qadb2.suse.de/qadb/regression.php?ref_submission_id=2987290&ref_tcf_id=&cand_submission_id=2988578&cand_tcf_id=. I manually checked the failed test PHPTEST-ext-standard-tests-strings-url_t with the code: """ <?php $sample_urls = array ( '', 'http://secret@hideout@www.php.net:80/index.php?test=1&test2=char&test3=mixesCI#some_page_ref123', ); foreach ($sample_urls as $url) { var_dump(@parse_url($url)); } $url = 'http://secret:hideout@www.php.net:80/index.php?test=1&test2=char&test3=mixesCI#some_page_ref123'; foreach (array(PHP_URL_SCHEME,PHP_URL_HOST,PHP_URL_PORT,PHP_URL_USER,PHP_URL_PASS,PHP_URL_PATH,PHP_URL_QUERY,PHP_URL_FRAGMENT) as $v) { var_dump(parse_url($url, $v)); } ?> """ and it outputed like this: """" array(1) { ["path"]=> string(0) "" } array(6) { ["scheme"]=> string(4) "http" ["host"]=> string(26) "secret@hideout@www.php.net" ["port"]=> int(80) ["path"]=> string(10) "/index.php" ["query"]=> string(31) "test=1&test2=char&test3=mixesCI" ["fragment"]=> string(16) "some_page_ref123" } string(4) "http" string(11) "www.php.net" int(80) string(6) "secret" string(7) "hideout" string(10) "/index.php" string(31) "test=1&test2=char&test3=mixesCI" string(16) "some_page_ref123" """ it is 'string(11) "www.php.net"' before update, but it is 'secret@hideout@www.php.net' after update, is this expected? and there are the same issue with the other failed tests: PHPTEST-ext-standard-tests-url-parse_url_basic_001 PHPTEST-ext-standard-tests-url-parse_url_basic_003 PHPTEST-ext-standard-tests-url-parse_url_basic_005
@Petr: could you have a look at the QA finding please?
<guess> Do you happen to test CVE-2020-7071 simultaneously? If yes, then take a look at bug 1180706 comment 4, PATCH section. </guess>
(In reply to Petr Gajdos from comment #13) > <guess> > Do you happen to test CVE-2020-7071 simultaneously? > If yes, then take a look at bug 1180706 comment 4, PATCH section. > </guess> yes, php53-CVE-2020-7071.patch is already in php53 before this update. Does this mean that some tests in php53 testsuite (qa_test_php53-5.3.29-qa.4.15) need to be updated ?
(In reply to jun wang from comment #14) > (In reply to Petr Gajdos from comment #13) > > <guess> > > Do you happen to test CVE-2020-7071 simultaneously? > > If yes, then take a look at bug 1180706 comment 4, PATCH section. > > </guess> > > yes, php53-CVE-2020-7071.patch is already in php53 before this update. Does > this mean that some tests in php53 testsuite (qa_test_php53-5.3.29-qa.4.15) > need to be updated ? If they weren't yet trough CVE-2020-7071 yet, then yes, they have to be updated now.
(In reply to Petr Gajdos from comment #15) > > (In reply to Petr Gajdos from comment #13) > > > <guess> > > > Do you happen to test CVE-2020-7071 simultaneously? > > > If yes, then take a look at bug 1180706 comment 4, PATCH section. > > > </guess> > > > > yes, php53-CVE-2020-7071.patch is already in php53 before this update. Does > > this mean that some tests in php53 testsuite (qa_test_php53-5.3.29-qa.4.15) > > need to be updated ? > > If they weren't yet trough CVE-2020-7071 yet, then yes, they have to be > updated now. (upstream commits referenced in bug 1180706 comment 4, PATCH section will instruct you how)
SUSE-SU-2021:0584-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1182049 CVE References: CVE-2021-21702 JIRA References: Sources used: SUSE Manager Server 4.0 (src): php7-7.2.5-4.73.1 SUSE Manager Retail Branch Server 4.0 (src): php7-7.2.5-4.73.1 SUSE Manager Proxy 4.0 (src): php7-7.2.5-4.73.1 SUSE Linux Enterprise Server for SAP 15-SP1 (src): php7-7.2.5-4.73.1 SUSE Linux Enterprise Server for SAP 15 (src): php7-7.2.5-4.73.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): php7-7.2.5-4.73.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): php7-7.2.5-4.73.1 SUSE Linux Enterprise Server 15-LTSS (src): php7-7.2.5-4.73.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): php7-7.2.5-4.73.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): php7-7.2.5-4.73.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): php7-7.2.5-4.73.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): php7-7.2.5-4.73.1 SUSE Enterprise Storage 6 (src): php7-7.2.5-4.73.1 SUSE CaaS Platform 4.0 (src): php7-7.2.5-4.73.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
(In reply to Petr Gajdos from comment #16) > (In reply to Petr Gajdos from comment #15) > (upstream commits referenced in bug 1180706 comment 4, PATCH section will > instruct you how) thank you, I will follow the comment to check php53.
SUSE-SU-2021:14668-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1182049 CVE References: CVE-2021-21702 JIRA References: Sources used: SUSE Linux Enterprise Server 11-SP4-LTSS (src): php53-5.3.17-112.99.2 SUSE Linux Enterprise Point of Sale 11-SP3 (src): php53-5.3.17-112.99.2 SUSE Linux Enterprise Debuginfo 11-SP4 (src): php53-5.3.17-112.99.2 SUSE Linux Enterprise Debuginfo 11-SP3 (src): php53-5.3.17-112.99.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
It looks like versions of php72 and php74 with the fix have been released for SLES 12, but no php7. Our CVE page for this CVE still lists php7 for SLES 12 as "In Progress". I have a customer that is asking for a fix for php7 for SLES 12 SP5 as their security team is flagging the version of php7 on their SLES 12 SP5 servers as being vulnerable to this CVE. Was this just overlooked?
Authoritative source of php codestreams support: https://confluence.suse.com/display/SLE/PHP php7 is declared not supported anymore, as far as I know.
(In reply to Petr Gajdos from comment #21) > Authoritative source of php codestreams support: > > https://confluence.suse.com/display/SLE/PHP > > php7 is declared not supported anymore, as far as I know. It is in the web and scripting module for SLES 12 and according to "zypper info php7" it is supported at level 3: # zypper info php7 Information for package php7: ----------------------------- Repository : SLE-Module-Web-Scripting12-Updates Name : php7 Version : 7.0.7-50.102.1 Arch : x86_64 Vendor : SUSE LLC <https://www.suse.com/> Support Level : Level 3 Installed Size : 4.8 MiB Installed : Yes Status : up-to-date Source package : php7-7.0.7-50.102.1.src Summary : PHP7 Core Files Description : This package contains the PHP 7 core files, including PHP binary (CLI) and PHP configuration (php.ini). This package must be installed in order to use PHP. Additionally, extension modules and server modules (e.g. for Apache) may be installed. Additional documentation is available in package php-doc.
Going through the Release Notes for all of the SP's for SLES 12. The SLES 12 SP2 Release Notes mention that php has been upgraded from 5 to 7: > 9.5.2 PHP 7 Packages Have Been Added to the Web and Scripting Module > So far, the Web and Scripting module for SLES contained packages for > PHP 5 only. > > The Web and Scripting module for SLES now additionally contains packages for > PHP 7. For a detailed overview of changes over PHP 5, see > https://secure.php.net/releases/7_0_0.php. Then the SLES 12 SP5 Release Notes mention that php has been updated to 7.4: > 5.5.3 PHP Has Been Updated to Version 7.4 > We upgraded PHP to version 7.4 to provide you with the latest release. To learn > more about PHP version 7.4, we recommend reading the PHP release announcement > and the 7.3.x to 7.4.x migration guide. > > As of January 2021, PHP 7.2 is no longer supported. For more information, see > https://scc.suse.com/docs/lifecycle/sle/12/modules. I guess that last bit implies that 7.0 is also no longer supported, but that is from the SP5 Release Notes, not SP4, and my customer is running SLES for SAP 12 SP4, so they are in ESPOS. There is no mention of the release of php72, nor of the end of support for php7 in any of the Release Notes of the SP's in between those two. At the least this is a buga against the documentation. I also ran "zypper lifecycle php7" and that does show that support is already ended, but shouldn't that information at least be in the Release Notes? I will try to explain this to the customer and tell them that they should install php74 in lieu of php7. Thanks.
Done, closing.