oss-sec mailing list archives
[CVE Request/Advisory] Multiple vulnerabilities in PHP's handling of Phar files
From: Emmanuel Law <emmanuel.law () gmail com>
Date: Mon, 18 May 2015 10:13:34 +1200
Hi --------Background--------- PHP has the built-in Phar & PharData functionality since 5.3.0. It allows developers to use them to manipulate the following archive types: tar, zip, phar. Serveral vulnerabilities were found in the Phar extenion. [1: CVE Request - Memory Corruption in phar_parse_tarfile when entry filename starts with null ] Description: ------------ This is a single byte memory corruption vulnerability. It is triggered when a tar entry->filename starts with a null byte. On a x86 machine, it has the potential to corrupt the heap chunk metadata.On x64 machine, it has the potential to corrupt 1 byte at the offset entry.filename+0xFFFFFFFF Affected versions: PHP <= 5.6.8 Bug Report: https://bugs.php.net/bug.php?id=69453 Patch: http://git.php.net/?p=php-src.git;a=commit;h=c27f012b7a447e59d4a704688971cbfa7dddaa74 Can a CVE be assign for this please? [2: CVE-2015-3307 - Heap metadata corruption when parsing tar file in phar_tar_process_metadata()] Description: ------------ This is a vulnerability whereby the Heap header gets misaligned resulting in the corruption of the heap chunk's metadata. A heap chunk is allocated in ext/phar/tar.c:167 metadata = (char *) safe_emalloc(1, entry->uncompressed_filesize, 1); A reference to this heap chunk is passed into phar_parse_metadata() at ext/phar/tar.c:176 if (phar_parse_metadata(&metadata, &entry->metadata, entry->uncompressed_filesize TSRMLS_CC) == FAILURE) { The following gets called within phar_parse_metadata:611 when zip_metadata_len==0 PHAR_GET_32(*buffer, buf_len); This moves the pointer referencing the heap chunk by 4bytes. When the heap chunk gets freeed at at tar.c:177: efree(metadata); The heap chunk is now misaligned by 4 bytes. In otherwords: ZEND_MM_HEADER_OF(metadata).info._size is now ZEND_MM_HEADER_OF(metadata).info._prev and ZEND_MM_HEADER_OF(metadata).info._prev is tained with the body's data. Affected versions: PHP <= 5.6.8RC1 Bug Report: https://bugs.php.net/bug.php?id=69443&edit=2 Patch: http://git.php.net/?p=php-src.git;a=commit;h=17cbd0b5b78a7500f185b3781a2149881bfff8ae This patch was for CVE-2015-2783, but it inadvertently resolved this vulnerability as well. The vulnerable line that was removed was on ext/phar/phar.c:611 PHAR_GET_32(*buffer, buf_len); Thanks.
Current thread:
- [CVE Request/Advisory] Multiple vulnerabilities in PHP's handling of Phar files Emmanuel Law (May 17)