oss-sec mailing list archives
Re: CVE Request: Use after free in PHP Collator::sortWithSortKeys function
From: cve-assign () mitre org
Date: Tue, 22 Dec 2015 12:12:13 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
I reported a use after free in PHP's Intl extension. The vulnerability is in Collator::sortWithSortKeys function. Only Php 7.0.0 is affected. This can potentially be remotely exploitable if the sorting function is called on a user supplied array. https://bugs.php.net/bug.php?id=71020
- Array is destroyed via zval_ptr_dtor( array ); - sortKeyIndxBuf[0....0xba].zstr are now dangling pointers - New array initialized (Hashtable with initial element size of 8) - As the dangling pointers are added to array, the size of the Hashtable grows. - As the Hashtable grows, it's allocated more memory via zend_hash_do_resize() - It will then be allocated memory that co-incides with an address pointed to by the dangling pointer sortKeyIndxBuf[j].zstr. Thus sortKeyIndxBuf[j].zstr now no longer points to a valid zval. - ... it will access dereference whatever is the value within this "corrupted zval"
[2015-12-07 19:04 UTC] ab () php net Yeah, we should have kept this till short before the release, as usually done for security patches.
Use CVE-2015-8616. Also, while we're doing CVEs for PHP 7.0.1, this one is CVE-2015-8617: https://bugs.php.net/bug.php?id=71105 http://php.net/ChangeLog-7.php https://github.com/php/php-src/commit/b101a6bbd4f2181c360bd38e7683df4a03cba83e [2015-12-13 02:48 UTC] laruence () php net ... this is a security fix A format string vulnerability exists in PHP-7.0.0 due to how non-existent class names are handled. ... Adding a "%s" as the second parameter there seems to fix the issue. If anyone is familiar with "Fixed double free in error condition of format printer" in that changelog and wants a CVE ID, please let us know. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJWeYPqAAoJEL54rhJi8gl5xLsP/irDZCa+BewL5P85OM4lSVpH EXymkZ8YPztD9d2F0ulbworvpZfM5HKASUHIAM1GwpHm4yOvUvIZKh+U7h0/S8bM BEeURKkhCH3IO/fpPC9P3rMK9psBMuLpWLOvOBLDdDVRhnL79SfGa+sMlTZa66BF E+a4hSpjAj9zIz9rL3kYfVcQDNb8AAlHvtCBNMawTt6fOvG2+Be1jKRYmp4RZYjK 6ypArIvMpsRqN3DaYgT44xVR73MgHBk3AmiS8aFzWHNBC3NC7FeYRCth9Zj/MXu+ 4wRBOnTkDsBve/zTHjhDaa+689Qqtj5y+i7WBjnG+0FA1/u9gLm2jq2RfBMK03QC vo1789S/49E/DqJ62IwfgBuZoqZWwN2CcScl1f2oevqB2MqyJEFlBIXr/Wz1XrOK UPRhheFu70xsh+S1C+2a73CROBuVcoe5IUcACSyTRCBTCY6kZhi+pekPfqG/dpZi tTHNeY+BBdfmFOGE73GacgVZgAotLi0oYn6FtAevW4Tpncg/5q0jpDkbLzl5ph8i YgEbh+NKnK/8ozJ1f81fMk7ABpv5nnElnxh+PLAgtMns91CjGERcE+iPX/eEkJcP OuWyEzRXmGiegWj2wSoePSHqyehvMHg5HIFLQewUUcgAn5Qww8EZoF/kG2dH1v7G ugNG8OFxuFJlXpNRTaGH =4znN -----END PGP SIGNATURE-----
Current thread:
- CVE Request: Use after free in PHP Collator::sortWithSortKeys function Emmanuel Law (Dec 22)
- Re: CVE Request: Use after free in PHP Collator::sortWithSortKeys function cve-assign (Dec 22)