|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-1: CVE-2020-7066: php72,php7: URL truncation if the URL contains zero (\0) character | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Alexandros Toptsoglou <atoptsoglou> |
| Component: | Incidents | Assignee: | Security Team bot <security-team> |
| Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Normal | ||
| Priority: | P4 - Low | CC: | smash_bz |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| URL: | https://smash.suse.de/issue/256212/ | ||
| Whiteboard: | CVSSv3.1:SUSE:CVE-2020-7066:5.3:(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) maint:released:sle10-sp3:64436 maint:running:64435:moderate | ||
| Found By: | Security Response Team | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
| Attachments: | POC | ||
|
Description
Alexandros Toptsoglou
2020-04-01 15:12:37 UTC
It seems that only our version 7.2 and above are affected. The fix can be found at [1]. I could not locate a test case in the commit. Tracked as affected the following: php7 --> SLE15 and SLE15-SP2 php72 --> SLE12 Factory is not affected since 7.4.4 version is shipped which contains the fix. The reproducer that I attached only works in the affected versions mentioned above. php $POC (in a vulnerable version) OUTPUT PHP Warning: get_headers(): php_network_getaddresses: getaddrinfo failed: Name or service not known in /home/alex/bug2 on line 9 PHP Warning: get_headers(http://example): failed to open stream: php_network_getaddresses: getaddrinfo failed: Name or service not known in /home/alex/bug2 on line 9 bool(false) php $POC (in version 7.4.4) OUTPUT PHP Warning: get_headers() expects parameter 1 to be a valid path, string given in /home/tumble/bug2.php on line 9 NULL [1] http://git.php.net/?p=php-src.git;a=commit;h=0d139c5b94a5f485a66901919e51faddb0371c43 Created attachment 834564 [details]
POC
Thanks for the evaluation. I know from the similar string x path issues from the past that they very often last from the far history. I agree with the reporter, the get_headers() issue is there from the day one (tm). The original test does something more, but, for exhibiting the bug in get_headers(), following code is sufficient: BEFORE $ cat test.php <?php $_GET['url'] = "http://localhost\0.example.com"; $headers = get_headers($_GET['url']); var_dump($headers); ?> $ php test.php PHP Warning: get_headers(http://localhost): failed to open stream: Connection refused in /168532/test.php on line 3 bool(false) $ In case I am correct, all code streams are affected. After the patch we get, as you already noted, message similar to: AFTER $ php test.php PHP Warning: get_headers() expects parameter 1 to be a valid path, string given in /168532/test.php on line 9 NULL $ For 5.3 and 5.2 we get just: $ php test.php bool(false) $ Packages submitted for: 15sp2/php7, 15/php7, 12/php72, 12/php5, 11sp3/php53, 11/php5, 10sp3/php5 and devel:languages:php:php56/php5. I believe all fixed. An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2020-05-18. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/64435 SUSE-SU-2020:1199-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1168326,1168352 CVE References: CVE-2020-7064,CVE-2020-7066 Sources used: SUSE Linux Enterprise Module for Web Scripting 15-SP1 (src): php7-7.2.5-4.55.7, tidy-5.4.0-3.2.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src): php7-7.2.5-4.55.7, tidy-5.4.0-3.2.1 SUSE Linux Enterprise Module for Development Tools 15-SP1 (src): tidy-5.4.0-3.2.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. openSUSE-SU-2020:0642-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1168326,1168352 CVE References: CVE-2020-7064,CVE-2020-7066 Sources used: openSUSE Leap 15.1 (src): php7-7.2.5-lp151.6.25.1, php7-test-7.2.5-lp151.6.25.1, tidy-5.4.0-lp151.3.3.1 SUSE-SU-2020:1546-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 1168326,1168352,1171999 CVE References: CVE-2019-11048,CVE-2020-7064,CVE-2020-7066 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP5 (src): php72-7.2.5-1.46.1 SUSE Linux Enterprise Software Development Kit 12-SP4 (src): php72-7.2.5-1.46.1 SUSE Linux Enterprise Module for Web Scripting 12 (src): php72-7.2.5-1.46.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2020:1714-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 1168326,1168352,1171999 CVE References: CVE-2019-11048,CVE-2020-7064,CVE-2020-7066 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP4 (src): php5-5.5.14-109.76.1 SUSE Linux Enterprise Module for Web Scripting 12 (src): php5-5.5.14-109.76.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. |