oss-sec mailing list archives
Re: Fwd: PHP-FPM fpm_log.c memory leak and buffer overflow
From: cve-assign () mitre org
Date: Sat, 28 May 2016 23:22:55 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Date: Tue, 2 Feb 2016 17:10:22 +0100 To: <oss-security () lists openwall com>
Date: Mon, 25 Jan 2016 16:50:38 +0100 To: bugtraq () securityfocus com
The FastCGI Process Manager (FPM) SAPI of PHP was vulnerable to memory leak and buffer overflow in the access logging feature.
the PHP engine performed an out-of-boundaries read and also wrote a \n character outside of the allocated memory.
http://git.php.net/?p=php-src.git;a=commit;h=2721a0148649e07ed74468f097a28899741eb58f http://www.search-lab.hu/about-us/news/111-some-unusual-vulnerabilities-in-the-php-engine
as it has some strict prerequisites, the severity is low.
This was just an expanded version of the default access.format template, we added the REMOTE_ADDR and REQUEST_URI fields
As explained in the www.search-lab.hu post (in the section between "We found the answer by reviewing the source code" and "And here we are"), there was really only one underlying problem: the code misinterpreted the semantics of the snprintf return value. Use CVE-2016-5114. The other outcomes were consequences of this. The "memory leak" is the same as the "out-of-boundaries read": extra bytes from process memory were being written to a log file that might be readable by untrusted users. The "buffer overflow" is the same as the "wrote a \n character outside of the allocated memory." - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJXSmAHAAoJEHb/MwWLVhi2KkwQAJYehVlnt9SusqqgXhyhdZgt TwqfEcyDihIZRtNw1MVqSTyR3B5Tf8S0SiSeINC2uRvaWSia/NlSEjWuMshmDkIn vXsPj60bPpjtvU9DXK7NZ2L35zOqwaVLf/n/XnNf2dkHIVCE2uNfm2GvNyGjGSGn 8W38RS9xu1BJeF1PKtgkd3CdYKbfy2J/NZs59E02yhJ5gtQoR64n86zj2qdv5lhd /pTvd3QzdCztOU+/wKRA/vOlm0UJKc4vMyP92ffYPuQkPaqaA2AovzCGJuJ+vKoL XHSKvwigkLK1VECfTHpxmt0JXOHe4UMdDjSFPXryixjWxT0D3OnYU1lJKCn7XjKx UBGOm+p3CvEZ5+3pxDqI5oULJokn6ZiLBLuWP2rhDITcyEsRbr745UQCJ0kZjuSu tHheUYJWRHo4XOHQkeV2eiVrZTjTo/1txTUZCoenV57WK8EnOiKuoFaBbq0xddtq UfQMWB6wYFf7n7O4LuMPxcE4UgC6dO04CuY12yHduarvxcPb/r7n9H8ACyexb93k OvmhaX2fDJNEjQ2ZGIBvOhKXJAYCe/kHjCeFH256xAfQhe2eW14SLo53Akt6dgvg 0jzyABI/KSbJnpWqwB3Bf1K9vfmSmBCEWYJVlY0HCtE5caqe+IJSE5RygSlR22Ha 7YksgydiRGiXmapN76dc =ONL0 -----END PGP SIGNATURE-----
Current thread:
- Re: Fwd: PHP-FPM fpm_log.c memory leak and buffer overflow cve-assign (May 28)