oss-sec mailing list archives

Re: CVE assignment for PHP 5.6.27 and 7.0.12

From: Lior Kaplan <kaplanlior () gmail com>
Date: Tue, 1 Nov 2016 10:58:28 +0200

On Tue, Oct 18, 2016 at 7:34 PM, <cve-assign () mitre org> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Please assign a CVE for the following issue:

Bug #73147    Use After Free in unserialize()
https://bugs.php.net/bug.php?id=73147
http://git.php.net/?p=php-src.git;a=commit;h=

0e6fe3a4c96be2d3e88389a5776f878021b4c59f

Can you clarify what should be the scope of this CVE?
zend_unset_property doesn't exist at all in PHP 7.0.11. The
0e6fe3a4c96be2d3e88389a5776f878021b4c59f commit adds
zend_unset_property for PHP 7.0.12, and arranges for
zend_unset_property to be called only from
"ZEND_METHOD(CURLFile, __wakeup)" in ext/curl/curl_file.c.

We're not sure whether that affects anything outside of the CURLFile
implementation. However, 73147 discusses other concerns such as "The
similar bug can be also triggered via Exception::__toString with
DateInterval::__wakeup" and "The problem is that every __wakeup that
modifies any property would produce the same problem."

There seems to be a related code change between 7.0.11 and 7.0.12 that
arranges for additional calls to zend_unset_property:

  http://git.php.net/?p=php-src.git;a=blobdiff;f=Zend/zend_exceptions.c;h=
f21968733581a3cb672d039bec16ce6f17a93db9;hp=95d18f45fbea8808c00975b5df4619
d5d6745ab0;hb=689a9b8def07875641b3132a82c701fb7acb676c;hpb=
4165d976066129000d947ffa3be73f91e9867635

So, some of the options include:

1. 0e6fe3a4c96be2d3e88389a5776f878021b4c59f is a complete security
patch that fixes everything discussed in 73147, including the "other
concerns" mentioned above.

2. 0e6fe3a4c96be2d3e88389a5776f878021b4c59f fixes only the CURLFile
implementation. The "other concerns" mentioned above are
vulnerabilities that still exist in 7.0.12.

3. The combination of 0e6fe3a4c96be2d3e88389a5776f878021b4c59f and the
above Zend/zend_exceptions.c diff is a complete security patch that
fixes everything discussed in 73147, including the "other concerns"
mentioned above. There only needs to be one CVE ID associated with
this complete security patch.

4. The combination of 0e6fe3a4c96be2d3e88389a5776f878021b4c59f and the
above Zend/zend_exceptions.c diff is a complete security patch that
fixes everything discussed in 73147, including the "other concerns"
mentioned above. There should be one CVE ID for the security fix to
the CURLFile implementation, and a separate CVE ID for the security
fix found in Zend/zend_exceptions.c.

Which of the above (1 through 4) is correct and/or preferred?


I've asked Stas (who fixed the issue) and #2 is the current situation.

Kaplan

Current thread:

CVE assignment for PHP 5.6.27 and 7.0.12 Lior Kaplan (Oct 18)
- Re: CVE assignment for PHP 5.6.27 and 7.0.12 Adam Maris (Oct 18)
  - Re: CVE assignment for PHP 5.6.27 and 7.0.12 Lior Kaplan (Oct 18)
  - Re: CVE assignment for PHP 5.6.27 and 7.0.12 Remi Collet (Oct 18)
    - Re: CVE assignment for PHP 5.6.27 and 7.0.12 Emmanuel Law (Oct 18)
- Re: CVE assignment for PHP 5.6.27 and 7.0.12 cve-assign (Oct 18)
  - Re: CVE assignment for PHP 5.6.27 and 7.0.12 Lior Kaplan (Nov 01)
    - Re: CVE assignment for PHP 5.6.27 and 7.0.12 cve-assign (Nov 01)