Bug 1015189 (CVE-2016-9935)

Summary: VUL-0: CVE-2016-9935: php5,php53,php7: Invalid read when wddx decodes empty boolean element
Product: [Novell Products] SUSE Security Incidents Reporter: Mikhail Kasimov <mikhail.kasimov>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: meissner, pgajdos
Version: unspecified   
Target Milestone: unspecified   
Hardware: Other   
OS: Other   
Whiteboard: CVSSv2:SUSE:CVE-2016-9935:1.5:(AV:L/AC:M/Au:S/C:N/I:N/A:P) CVSSv2:RedHat:CVE-2016-9935:4.0:(AV:N/AC:H/Au:N/C:P/I:N/A:P) CVSSv2:NVD:CVE-2016-9935:7.5:(AV:N/AC:L/Au:N/C:P/I:P/A:P) maint:released:sle10-sp3:63305 CVSSv3:NVD:CVE-2016-9935:9.8:(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSSv3:RedHat:CVE-2016-9935:4.2:(AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:L)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: CVE-2016-9935.php

Description Mikhail Kasimov 2016-12-12 18:22:35 UTC
Reference: http://seclists.org/oss-sec/2016/q4/658
===================================================
    Fixed in PHP 5.6.29 and 7.0.14:
    Bug #73631    Invalid read when wddx decodes empty boolean element
    https://bugs.php.net/bug.php?id=73631
    https://github.com/php/php-src/commit/66fd44209d5ffcb9b3d1bc1b9fd8e35b485040c0


Use CVE-2016-9935.

===================================================
Comment 1 Swamp Workflow Management 2016-12-12 23:02:39 UTC
bugbot adjusting priority
Comment 2 Marcus Meissner 2016-12-13 16:10:58 UTC
Created attachment 706293 [details]
CVE-2016-9935.php

QA REPRODUCER:

php CVE-2016-9935.php

should not segfault.
Comment 3 Marcus Meissner 2016-12-13 16:14:53 UTC
php53 also crashes, assmunuing all affected.
Comment 4 Petr Gajdos 2016-12-14 12:04:39 UTC
Yes, crashes from php7 to 10sp3/php5.
Comment 5 Petr Gajdos 2016-12-14 13:45:37 UTC
All affected down to 11/php5.

AFTER

$ php test.php

float(2261634.5098039)
$
Comment 6 Petr Gajdos 2016-12-14 19:06:59 UTC
Packages submitted.
Comment 8 Bernhard Wiedemann 2016-12-14 21:00:50 UTC
This is an autogenerated message for OBS integration:
This bug (1015189) was mentioned in
https://build.opensuse.org/request/show/445958 13.2 / php5
Comment 9 Swamp Workflow Management 2016-12-19 14:38:20 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2017-01-02.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63304
Comment 10 Swamp Workflow Management 2016-12-22 14:17:00 UTC
openSUSE-SU-2016:3239-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1015187,1015188,1015189
CVE References: CVE-2016-9933,CVE-2016-9934,CVE-2016-9935
Sources used:
openSUSE 13.2 (src):    php5-5.6.1-89.1
Comment 12 Swamp Workflow Management 2017-01-04 14:08:10 UTC
SUSE-SU-2017:0017-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1015187,1015188,1015189,1015191
CVE References: CVE-2016-9933,CVE-2016-9934,CVE-2016-9935,CVE-2016-9936
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    php7-7.0.7-28.2
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    php7-7.0.7-28.2
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php7-7.0.7-28.2
Comment 13 Swamp Workflow Management 2017-01-05 18:08:55 UTC
SUSE-SU-2017:0038-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1015187,1015188,1015189
CVE References: CVE-2016-9933,CVE-2016-9934,CVE-2016-9935
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    php5-5.5.14-89.2
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    php5-5.5.14-89.2
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php5-5.5.14-89.2
Comment 14 Swamp Workflow Management 2017-01-08 00:22:15 UTC
openSUSE-SU-2017:0081-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1015187,1015188,1015189
CVE References: CVE-2016-9933,CVE-2016-9934,CVE-2016-9935
Sources used:
openSUSE Leap 42.2 (src):    php5-5.5.14-72.1
openSUSE Leap 42.1 (src):    php5-5.5.14-71.1
Comment 15 Swamp Workflow Management 2017-01-11 20:09:41 UTC
SUSE-SU-2017:0109-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1012232,1015187,1015188,1015189,974305
CVE References: CVE-2014-9912,CVE-2016-9933,CVE-2016-9934,CVE-2016-9935
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    php53-5.3.17-94.1
SUSE Linux Enterprise Server 11-SP4 (src):    php53-5.3.17-94.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    php53-5.3.17-94.1
Comment 17 Swamp Workflow Management 2017-01-30 13:27:13 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2017-02-13.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63367
Comment 19 Swamp Workflow Management 2017-03-03 17:09:01 UTC
openSUSE-SU-2017:0598-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1015187,1015188,1015189
CVE References: CVE-2016-9933,CVE-2016-9934,CVE-2016-9935
Sources used:
openSUSE Leap 42.2 (src):    php5-5.5.14-75.2
openSUSE Leap 42.1 (src):    php5-5.5.14-75.1
Comment 21 Marcus Meissner 2017-06-15 20:09:08 UTC
released