oss-sec mailing list archives

[CVE Request] Multiple vulnerabilities in PHP's Phar handling

From: Emmanuel Law <emmanuel.law () gmail com>
Date: Fri, 17 Apr 2015 03:11:27 +0800

This serves as a cve request + advisory.

--------Background---------
PHP has the built-in Phar & PharData functionality since 5.3.0. It allows
developers to use them to manipulate the following archive types: tar, zip,
phar. Serveral vulnerabilities were found in the Phar extenion.





[1: CVE Request]
There is a stack based buffer overflow when opening tar, zip or phar
archives through the Phar extension. An attacker and exploit this to run
arbitrary code.
Affected versions: PHP < 5.6.8RC1
Bug Report: https://bugs.php.net/bug.php?id=69441
Patch:
http://git.php.net/?p=php-src.git;a=commit;h=f59b67ae50064560d7bfcdb0d6a8ab284179053c

Please assign a CVE for this.


[2: Advisory for CVE-2015-2783]
When processing a specially crafted phar file, it is possible to trigger a
buffer over-read in PHP's unserialize function. An attacker can exploit
this to dump memory info leak on the system.
Affected versions: PHP < 5.6.8RC1
Bug Report: https://bugs.php.net/bug.php?id=69324
Patch:
http://git.php.net/?p=php-src.git;a=commit;h=17cbd0b5b78a7500f185b3781a2149881bfff8ae

rgds,
Emmanuel

Current thread:

[CVE Request] Multiple vulnerabilities in PHP's Phar handling Emmanuel Law (Apr 16)
- Re: [CVE Request] Multiple vulnerabilities in PHP's Phar handling cve-assign (Apr 17)