oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

[CVE Request/Advisory] Multiple vulnerabilities in PHP's handling of Phar files

From: Emmanuel Law <emmanuel.law () gmail com>
Date: Mon, 18 May 2015 10:13:34 +1200
Hi

--------Background---------
PHP has the built-in Phar & PharData functionality since 5.3.0. It allows
developers to use them to manipulate the following archive types: tar, zip,
phar. Serveral vulnerabilities were found in the Phar extenion.



[1: CVE Request - Memory Corruption in phar_parse_tarfile when entry
filename starts with null ]
 Description: ------------ This is a single byte memory corruption
vulnerability. It is triggered when a tar entry->filename starts with a
null byte. On a x86 machine, it has the potential to corrupt the heap chunk
metadata.On x64 machine, it has the potential to corrupt 1 byte at the
offset entry.filename+0xFFFFFFFF Affected versions: PHP <= 5.6.8 Bug
Report: https://bugs.php.net/bug.php?id=69453 Patch:
http://git.php.net/?p=php-src.git;a=commit;h=c27f012b7a447e59d4a704688971cbfa7dddaa74

Can a CVE be assign for this please?


[2: CVE-2015-3307 - Heap metadata corruption when parsing tar file in
phar_tar_process_metadata()] Description: ------------ This is a
vulnerability whereby the Heap header gets misaligned resulting in the
corruption of the heap chunk's metadata. A heap chunk is allocated in
ext/phar/tar.c:167 metadata = (char *) safe_emalloc(1,
entry->uncompressed_filesize, 1); A reference to this heap chunk is passed
into phar_parse_metadata() at ext/phar/tar.c:176 if
(phar_parse_metadata(&metadata, &entry->metadata,
entry->uncompressed_filesize TSRMLS_CC) == FAILURE) { The following gets
called within phar_parse_metadata:611 when zip_metadata_len==0
PHAR_GET_32(*buffer, buf_len); This moves the pointer referencing the heap
chunk by 4bytes. When the heap chunk gets freeed at at tar.c:177:
efree(metadata); The heap chunk is now misaligned by 4 bytes. In
otherwords: ZEND_MM_HEADER_OF(metadata).info._size is now
ZEND_MM_HEADER_OF(metadata).info._prev and
ZEND_MM_HEADER_OF(metadata).info._prev is tained with the body's data.
Affected versions: PHP <= 5.6.8RC1 Bug Report:
https://bugs.php.net/bug.php?id=69443&edit=2 Patch:
http://git.php.net/?p=php-src.git;a=commit;h=17cbd0b5b78a7500f185b3781a2149881bfff8ae
This patch was for CVE-2015-2783, but it inadvertently resolved this
vulnerability as well. The vulnerable line that was removed was on
ext/phar/phar.c:611

PHAR_GET_32(*buffer, buf_len);



Thanks.
Previous By Date Next
Previous By Thread Next

Current thread: