Bug 1015191 (CVE-2016-9936)

Summary: VUL-0: CVE-2016-9936: php: Use After Free in PHP7 unserialize()
Product: [Novell Products] SUSE Security Incidents Reporter: Mikhail Kasimov <mikhail.kasimov>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: meissner, pgajdos
Version: unspecified   
Target Milestone: unspecified   
Hardware: Other   
OS: Other   
Whiteboard: CVSSv2:SUSE:CVE-2016-9936:5.1:(AV:N/AC:H/Au:N/C:P/I:P/A:P) CVSSv2:RedHat:CVE-2016-9936:5.1:(AV:N/AC:H/Au:N/C:P/I:P/A:P)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: CVE-2016-9936.php
CVE-2016-9936-1.php

Description Mikhail Kasimov 2016-12-12 18:24:32 UTC
Reference: http://seclists.org/oss-sec/2016/q4/658
===================================================
    Fixed in PHP 7.0.14 and 7.1.0:
    Bug #72978    Use After Free in PHP7 unserialize()
    https://bugs.php.net/bug.php?id=72978
    https://github.com/php/php-src/commit/b2af4e8868726a040234de113436c6e4f6372d17


Use CVE-2016-9936. The b2af4e8868726a040234de113436c6e4f6372d17 commit
message is "Complete the fix of bug #70172 for PHP 7." Because 70172
is referenced by CVE-2015-6834, it is possible to say that
CVE-2016-9936 exists because of an incomplete fix for CVE-2015-6834.
===================================================
Comment 1 Swamp Workflow Management 2016-12-12 23:02:52 UTC
bugbot adjusting priority
Comment 2 Marcus Meissner 2016-12-13 07:24:13 UTC
Created attachment 706167 [details]
CVE-2016-9936.php

QA REPRODUCER:

php CVE-2016-9936.php

wrong:
array(2) {
  [0]=>
  object(obj1)#1 (1) {
    ["data"]=>
    string(3) "hi0"
  }
  [1]=>
  object(obj2)#2 (1) {
    ["ryat"]=>
    &NULL  <<<<<<<<<<<<<<<<<<<<<<<<<<< HERE
  }
}

should be

array(2) {
  [0]=>
  object(obj1)#1 (1) {
    ["data"]=>
    string(3) "hi0"
  }
  [1]=>
  object(obj2)#2 (1) {
    ["ryat"]=>
    int(1)      <<<<<< CORRECT (according to testcase in php bug)
  }
}
Comment 3 Marcus Meissner 2016-12-13 07:28:04 UTC
QA: might not be a good indicator.

QA: seems to need php7-curl installed as precondition
Comment 4 Marcus Meissner 2016-12-13 07:52:45 UTC
Created attachment 706171 [details]
CVE-2016-9936-1.php

QA REPRODUCER:

secondary attachment poc

but on Tumbleweed I only get:

php CVE-2016-9936-1.php
string(52) "Unserialization of CURLFile instances is not allowed"
Comment 5 Petr Gajdos 2016-12-14 18:15:03 UTC
Perhaps I am wrong, but I think more important is "hi0" string before and "ryat" after.

php7, BEFORE CVE-2016-9936 patch
(test.php is from comment 2, test2.php is from comment 4)

$ test.php
array(2) {
  [0]=>
  object(obj1)#1 (1) {
    ["data"]=>
    string(3) "hi0"
  }
  [1]=>
  object(obj2)#2 (1) {
    ["ryat"]=>
    &NULL
  }
}
$ php test2.php
$

php7, AFTER CVE-2016-9936 patch

array(2) {
  [0]=>
  object(obj1)#1 (1) {
    ["data"]=>
    string(4) "ryat"
  }
  [1]=>
  object(obj2)#2 (1) {
    ["ryat"]=>
    NULL
  }
}
$ php test2.php
string(52) "Unserialization of CURLFile instances is not allowed"
$

I also think that the fix from comment 0 concerns just php7. It seems they fixed CVE-2015-6834 php5 series slightly another way (see comments of #70172) bug. Also following commit is not present in php5 branch:

http://git.php.net/?p=php-src.git;a=commitdiff;h=9c35f87e9aac29fb8f574f99edc09b344380aef0

Also I get with the test cases for 12/php5:

$ php test.php
array(2) {
  [0]=>
  object(obj1)#1 (1) {
    ["data"]=>
    &NULL
  }
  [1]=>
  object(obj2)#2 (1) {
    ["ryat"]=>
    &NULL
  }
}
$ php test2.php
string(52) "Unserialization of CURLFile instances is not allowed"
$

In short, I have not any proof php5 is affected by CVE-2016-9936.
Comment 6 Petr Gajdos 2016-12-14 19:06:59 UTC
Packages submitted.
Comment 8 Swamp Workflow Management 2017-01-04 14:08:19 UTC
SUSE-SU-2017:0017-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1015187,1015188,1015189,1015191
CVE References: CVE-2016-9933,CVE-2016-9934,CVE-2016-9935,CVE-2016-9936
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    php7-7.0.7-28.2
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    php7-7.0.7-28.2
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php7-7.0.7-28.2
Comment 9 Swamp Workflow Management 2017-01-08 00:10:25 UTC
openSUSE-SU-2017:0061-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1015187,1015188,1015189,1015191
CVE References: CVE-2016-9933,CVE-2016-9934,CVE-2016-9935,CVE-2016-9936
Sources used:
openSUSE Leap 42.2 (src):    php7-7.0.7-9.1
Comment 10 Marcus Meissner 2017-06-15 20:09:17 UTC
released