Bug 1019570 (CVE-2017-5340)

Summary: VUL-1: CVE-2017-5340: php7: use of uninitialized memory in unserialize() related to large array allocations
Product: [Novell Products] SUSE Security Incidents Reporter: Andreas Stieger <astieger>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P5 - None CC: meissner, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/178439/
Whiteboard: CVSSv2:SUSE:CVE-2017-5340:7.5:(AV:N/AC:L/Au:N/C:P/I:P/A:P) CVSSv3.1:SUSE:CVE-2017-5340:8.1:(AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Andreas Stieger 2017-01-12 12:09:44 UTC
https://bugs.php.net/bug.php?id=73832

Zend/zend_hash.c in PHP before 7.0.15 and 7.1.x before 7.1.1 mishandles certain
cases that require large array allocations, which allows remote attackers to
execute arbitrary code or cause a denial of service (integer overflow,
uninitialized memory access, and use of arbitrary destructor function pointers)
via crafted serialized data.

https://github.com/php/php-src/commit/4cc0286f2f3780abc6084bcdae5dce595daa3c12

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5340
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5340.html
http://www.cvedetails.com/cve/CVE-2017-5340/
https://github.com/php/php-src/commit/4cc0286f2f3780abc6084bcdae5dce595daa3c12
https://bugs.php.net/bug.php?id=73832
Comment 1 Andreas Stieger 2017-01-12 12:36:29 UTC
php7 only.

This relies on untrusted input being passed to the PHP function unserialize. This is widely known and documented to be insecure. Treating as VUL-1 for this type of vulnerability.
Comment 2 Petr Gajdos 2017-01-16 12:16:50 UTC
(In reply to Andreas Stieger from comment #1)
> php7 only.

Thanks for figuring out.
Comment 3 Petr Gajdos 2017-01-16 16:06:34 UTC
Packages submitted.
Comment 8 Swamp Workflow Management 2017-02-22 14:09:12 UTC
SUSE-SU-2017:0534-1: An update that fixes 13 vulnerabilities is now available.

Category: security (important)
Bug References: 1008026,1019547,1019550,1019568,1019570,1022219,1022255,1022257,1022260,1022262,1022263,1022264,1022265
CVE References: CVE-2016-10158,CVE-2016-10159,CVE-2016-10160,CVE-2016-10161,CVE-2016-10162,CVE-2016-10166,CVE-2016-10167,CVE-2016-10168,CVE-2016-7478,CVE-2016-7479,CVE-2016-7480,CVE-2016-9138,CVE-2017-5340
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    php7-7.0.7-35.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    php7-7.0.7-35.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php7-7.0.7-35.1
Comment 9 Swamp Workflow Management 2017-03-02 14:12:53 UTC
openSUSE-SU-2017:0588-1: An update that fixes 13 vulnerabilities is now available.

Category: security (important)
Bug References: 1008026,1019547,1019550,1019568,1019570,1022219,1022255,1022257,1022260,1022262,1022263,1022264,1022265
CVE References: CVE-2016-10158,CVE-2016-10159,CVE-2016-10160,CVE-2016-10161,CVE-2016-10162,CVE-2016-10166,CVE-2016-10167,CVE-2016-10168,CVE-2016-7478,CVE-2016-7479,CVE-2016-7480,CVE-2016-9138,CVE-2017-5340
Sources used:
openSUSE Leap 42.2 (src):    php7-7.0.7-12.1
Comment 10 Matthias Gerstner 2017-03-06 10:07:38 UTC
Affected php7/12 codestream released. openSUSE comes from SLE. Closing.