Bug 1080234 (CVE-2016-10712)

Summary: VUL-0: CVE-2016-10712: php5,php53: The return values of stream_get_meta_data can be controlled if the input can be controlled (e.g., during file uploads)
Product: [Novell Products] SUSE Security Incidents Reporter: Johannes Segitz <jsegitz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: meissner, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/199704/
Whiteboard: CVSSv3:SUSE:CVE-2016-10712:9.4:(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L) maint:released:sle10-sp3:63967 CVSSv2:NVD:CVE-2016-10712:5.0:(AV:N/AC:L/Au:N/C:N/I:P/A:N) CVSSv3:RedHat:CVE-2016-10712:3.7:(AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Johannes Segitz 2018-02-09 07:41:08 UTC
CVE-2016-10712

In PHP before 5.5.32, 5.6.x before 5.6.18, and 7.x before 7.0.3, all of
the return values of stream_get_meta_data can be controlled if the
input can be controlled (e.g., during file uploads). For example, a
"$uri = stream_get_meta_data(fopen($file, "r"))['uri']" call mishandles
the case where $file is data:text/plain;uri=eviluri, -- in other words,
metadata can be set by an attacker.

Upstream bug: https://bugs.php.net/bug.php?id=71323
Upstream fix: https://git.php.net/?p=php-src.git;a=commit;h=6297a117d77fa3a0df2e21ca926a92c231819cd5

php7 not affected, all others are AFAICS

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10712
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10712
Comment 2 Petr Gajdos 2018-02-09 17:11:31 UTC
Agreed:

devel/php7:

$ php -r 'var_dump(stream_get_meta_data(fopen("data:real/evil;mediatype=text/plain,", "r"))["mediatype"]);'
string(9) "real/evil"
$

12/php7

$ php -r 'var_dump(stream_get_meta_data(fopen("data:real/evil;mediatype=text/plain,", "r"))["mediatype"]);'
string(9) "real/evil"
$

11sp3/php53

$ php -r 'var_dump(stream_get_meta_data(fopen("data:real/evil;mediatype=text/plain,", "r")));' | grep -A 1 'mediatype.*=>'
  ["mediatype"]=>
  string(10) "text/plain"
$

11/php5

$ php -r 'var_dump(stream_get_meta_data(fopen("data:real/evil;mediatype=text/plain,", "r")));' | grep -A 1 'mediatype.*=>'
  ["mediatype"]=>
  string(10) "text/plain"
$

PATCH

https://git.php.net/?p=php-src.git;a=commit;h=6297a117d77fa3a0df2e21ca926a92c231819cd5

12/php7: has the fix included, not affected

AFTER

12/php5

$ php -r 'var_dump(stream_get_meta_data(fopen("data:real/evil;mediatype=text/plain,", "r"))["mediatype"]);'
string(9) "real/evil"
$

11sp3/php53

$ php -r 'var_dump(stream_get_meta_data(fopen("data:real/evil;mediatype=text/plain,", "r")));' | grep -A 1 'mediatype.*=>'           
  ["mediatype"]=>
  string(9) "real/evil"
$

11/php5

php -r 'var_dump(stream_get_meta_data(fopen("data:real/evil;mediatype=text/plain,", "r")));' | grep -A 1 'mediatype.*=>'           
  ["mediatype"]=>
  string(9) "real/evil"
$
Comment 3 Petr Gajdos 2018-02-09 17:11:55 UTC
Will submit for: 12/php5, 11sp3/php53, 11/php5 and 10sp3/php5
Comment 4 Petr Gajdos 2018-02-09 17:17:33 UTC
Packages submitted.
Comment 6 Swamp Workflow Management 2018-02-12 14:15:56 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2018-02-19.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63966
Comment 7 Swamp Workflow Management 2018-02-23 14:07:41 UTC
SUSE-SU-2018:0530-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1080234
CVE References: CVE-2016-10712
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    php5-5.5.14-109.20.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    php5-5.5.14-109.20.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php5-5.5.14-109.20.1
Comment 8 Swamp Workflow Management 2018-02-24 14:08:58 UTC
openSUSE-SU-2018:0538-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1080234
CVE References: CVE-2016-10712
Sources used:
openSUSE Leap 42.3 (src):    php5-5.5.14-94.1
Comment 10 Swamp Workflow Management 2018-03-26 13:08:41 UTC
SUSE-SU-2018:0806-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 1076220,1076391,1080234,1083639,986247,986391
CVE References: CVE-2016-10712,CVE-2016-5771,CVE-2016-5773,CVE-2018-5711,CVE-2018-5712,CVE-2018-7584
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    php53-5.3.17-112.20.1
SUSE Linux Enterprise Server 11-SP4 (src):    php53-5.3.17-112.20.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    php53-5.3.17-112.20.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    php53-5.3.17-112.20.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    php53-5.3.17-112.20.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    php53-5.3.17-112.20.1
Comment 11 Marcus Meissner 2019-07-04 05:49:55 UTC
released