oss-sec mailing list archives
Re: CVE assignment for PHP 5.6.27 and 7.0.12
From: Lior Kaplan <kaplanlior () gmail com>
Date: Tue, 1 Nov 2016 10:58:28 +0200
On Tue, Oct 18, 2016 at 7:34 PM, <cve-assign () mitre org> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256Please assign a CVE for the following issue: Bug #73147 Use After Free in unserialize() https://bugs.php.net/bug.php?id=73147 http://git.php.net/?p=php-src.git;a=commit;h=0e6fe3a4c96be2d3e88389a5776f878021b4c59f Can you clarify what should be the scope of this CVE? zend_unset_property doesn't exist at all in PHP 7.0.11. The 0e6fe3a4c96be2d3e88389a5776f878021b4c59f commit adds zend_unset_property for PHP 7.0.12, and arranges for zend_unset_property to be called only from "ZEND_METHOD(CURLFile, __wakeup)" in ext/curl/curl_file.c. We're not sure whether that affects anything outside of the CURLFile implementation. However, 73147 discusses other concerns such as "The similar bug can be also triggered via Exception::__toString with DateInterval::__wakeup" and "The problem is that every __wakeup that modifies any property would produce the same problem." There seems to be a related code change between 7.0.11 and 7.0.12 that arranges for additional calls to zend_unset_property: http://git.php.net/?p=php-src.git;a=blobdiff;f=Zend/zend_exceptions.c;h= f21968733581a3cb672d039bec16ce6f17a93db9;hp=95d18f45fbea8808c00975b5df4619 d5d6745ab0;hb=689a9b8def07875641b3132a82c701fb7acb676c;hpb= 4165d976066129000d947ffa3be73f91e9867635 So, some of the options include: 1. 0e6fe3a4c96be2d3e88389a5776f878021b4c59f is a complete security patch that fixes everything discussed in 73147, including the "other concerns" mentioned above. 2. 0e6fe3a4c96be2d3e88389a5776f878021b4c59f fixes only the CURLFile implementation. The "other concerns" mentioned above are vulnerabilities that still exist in 7.0.12. 3. The combination of 0e6fe3a4c96be2d3e88389a5776f878021b4c59f and the above Zend/zend_exceptions.c diff is a complete security patch that fixes everything discussed in 73147, including the "other concerns" mentioned above. There only needs to be one CVE ID associated with this complete security patch. 4. The combination of 0e6fe3a4c96be2d3e88389a5776f878021b4c59f and the above Zend/zend_exceptions.c diff is a complete security patch that fixes everything discussed in 73147, including the "other concerns" mentioned above. There should be one CVE ID for the security fix to the CURLFile implementation, and a separate CVE ID for the security fix found in Zend/zend_exceptions.c. Which of the above (1 through 4) is correct and/or preferred?
I've asked Stas (who fixed the issue) and #2 is the current situation. Kaplan
Current thread:
- CVE assignment for PHP 5.6.27 and 7.0.12 Lior Kaplan (Oct 18)
- Re: CVE assignment for PHP 5.6.27 and 7.0.12 Adam Maris (Oct 18)
- Re: CVE assignment for PHP 5.6.27 and 7.0.12 Lior Kaplan (Oct 18)
- Re: CVE assignment for PHP 5.6.27 and 7.0.12 Remi Collet (Oct 18)
- Re: CVE assignment for PHP 5.6.27 and 7.0.12 Emmanuel Law (Oct 18)
- Re: CVE assignment for PHP 5.6.27 and 7.0.12 cve-assign (Oct 18)
- Re: CVE assignment for PHP 5.6.27 and 7.0.12 Lior Kaplan (Nov 01)
- Re: CVE assignment for PHP 5.6.27 and 7.0.12 cve-assign (Nov 01)
- Re: CVE assignment for PHP 5.6.27 and 7.0.12 Lior Kaplan (Nov 01)
- Re: CVE assignment for PHP 5.6.27 and 7.0.12 Adam Maris (Oct 18)