oss-sec mailing list archives

Re: CVE Request: more php unserializing issues

From: Marcus Meissner <meissner () suse de>
Date: Tue, 1 Sep 2015 08:04:14 +0200

Hi,

forgot to CC Mitre and PHP

Ciao, Marcus

On Wed, Aug 19, 2015 at 11:49:45AM +0200, Marcus Meissner wrote:

Hi,

I am not sure these have CVE ids yet:

https://bugs.php.net/bug.php?id=70068
Dangling pointer in the unserialization of ArrayObject items
      impact: remote code execution


https://bugs.php.net/bug.php?id=70166
https://bugs.php.net/bug.php?id=70155 (dup)
Use After Free Vulnerability in unserialize() with SPLArrayObject

https://bugs.php.net/bug.php?id=70168
Use After Free Vulnerability in unserialize() with SplObjectStorage

https://bugs.php.net/bug.php?id=70169
Use After Free Vulnerability in unserialize() with SplDoublyLinkedList


These look like they can be exploited for code execution.


https://bugs.php.net/bug.php?id=70019
Files extracted from archive may be placed outside of destination directory

(indirect reference also  https://msisac.cisecurity.org/advisories/2015/2015-091.cfm
 and the php release notes
 http://php.net/ChangeLog-5.php#5.4.44
 http://php.net/ChangeLog-5.php#5.5.28
 http://php.net/ChangeLog-5.php#5.6.12
)

Ciao, Marcus


-- 
Marcus Meissner,SUSE LINUX GmbH; Maxfeldstrasse 5; D-90409 Nuernberg; Zi. 3.1-33,+49-911-740 
53-432,,serv=loki,mail=wotan,type=real <meissner () suse de>

Current thread:

CVE Request: more php unserializing issues Marcus Meissner (Aug 19)
- Re: CVE Request: more php unserializing issues Marcus Meissner (Aug 31)
- Re: CVE Request: more php unserializing issues Marcus Meissner (Aug 31)
- Re: CVE Request: more php unserializing issues cve-assign (Sep 08)