Bug 1175223 (CVE-2020-7068)

Summary: VUL-1: CVE-2020-7068: php5,php72,php7,php74,php53: php: Use of freed hash key in the phar_parse_zipfile function
Product: [Novell Products] SUSE Security Incidents Reporter: Robert Frohl <rfrohl>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P4 - Low CC: smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/265026/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Robert Frohl 2020-08-13 09:53:35 UTC
rh#1868109

he phar_parse_zipfile function had use-after-free vulnerability because of mishandling of the actual_alias variable.

----- ext/phar/zip.c -----
int phar_parse_zipfile(php_stream *fp, char *fname, size_t fname_len, char *alias, size_t alias_len, phar_archive_data** pphar, char **error) /* {{{ */
{
	...

	mydata->alias = entry.is_persistent ? pestrndup(actual_alias, mydata->alias_len, 1) : actual_alias;

	if (entry.is_persistent) {
		efree(actual_alias);
	}

	zend_hash_str_add_ptr(&(PHAR_G(phar_alias_map)), actual_alias, mydata->alias_len, mydata);

	...
---------------------------

`actual_alias` variable is allocated by estrndup function, which string is part of data of the zip file.

The above code snippet `mydata->alias` is assigned by `pestrndup(actual_alias, mydata->alias_len, 1)` if entry.is_persistent is true. Or `mydata->alias` is assigned by `actual_alias` variable.
And if `entry.is_persistent` is true, `actual_alias` variable is freed by invoke efree function. `actual_alias` variable is used invoke of zend_hash_str_add_ptr function as 2nd argument.

Problem is that `actual_alias` variable is freed if `entry.is_persistent` is true, the key of `phar_alias_map` will use freed memory. `entry.is_persistent` is true if `phar.cache_list` fields is defined in php.ini file. 

So if `phar.cache_list` is defined with target phar path so that `entry.is_persistent` is true, then it can be that `phar_alias_map` hash key would use sensitive freed memory data such as heap addresses that addresses set via linked list after invoke the efree function.


Possibly affected versions: php 7.2.32, php 7.3.20, php 7.4.8

Upstream Reference:

https://bugs.php.net/bug.php?id=79797
https://www.php.net/ChangeLog-7.php

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1868109
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-7068
https://access.redhat.com/security/cve/CVE-2020-7068
Comment 1 Robert Frohl 2020-08-13 09:55:41 UTC
tracking as affected:
- SUSE:SLE-12:Update / php7
- SUSE:SLE-12:Update / php72
- SUSE:SLE-12:Update / php74
- SUSE:SLE-15:Update / php7
- SUSE:SLE-15-SP2:Update / php7 

contrary to the report, the code is also present in 7.0.X
Comment 2 Petr Gajdos 2020-08-13 14:17:56 UTC
TW/php7 have the change already in.

There is similarly in php5:

687         mydata->alias = entry.is_persistent ? pestrndup(actual_alias, mydata->alias_len, 1) : actual_alias;
 688 
 689         if (entry.is_persistent) {
 690             efree(actual_alias);
 691         }
 692 
 693         zend_hash_add(&(PHAR_GLOBALS->phar_alias_map), actual_alias, mydata->alias_len, (void*)&mydata, sizeof(phar_archive_data*), NUL     L);

Will submit for 15sp2/php7, 15/php7, 12/php74, 12/php72, 12/php7, 12/php5, 11/php53.

Submitted also for devel:languages:php:php56/php5.
Comment 3 Petr Gajdos 2020-08-13 15:14:25 UTC
(Please correct me, if I am wrong.)
Comment 4 Petr Gajdos 2020-08-13 15:15:00 UTC
Packages submitted.

I believe all fixed.
Comment 6 Swamp Workflow Management 2020-09-01 13:14:07 UTC
SUSE-SU-2020:2403-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1175223
CVE References: CVE-2020-7068
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    php7-7.0.7-50.97.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php7-7.0.7-50.97.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2020-09-01 13:15:51 UTC
SUSE-SU-2020:2404-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1175223
CVE References: CVE-2020-7068
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    php74-7.4.6-1.8.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php74-7.4.6-1.8.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2020-09-01 13:17:33 UTC
SUSE-SU-2020:2405-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1175223
CVE References: CVE-2020-7068
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    php72-7.2.5-1.49.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php72-7.2.5-1.49.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2020-09-02 16:14:19 UTC
SUSE-SU-2020:2455-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (moderate)
Bug References: 1173786,1174010,1175223
CVE References: CVE-2020-7068
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 15-SP1 (src):    php7-7.2.5-4.61.1
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP1 (src):    php7-7.2.5-4.61.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2020-09-02 16:15:11 UTC
SUSE-SU-2020:2456-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1175223
CVE References: CVE-2020-7068
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 15-SP2 (src):    php7-7.4.6-3.6.1
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 (src):    php7-7.4.6-3.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2020-09-03 13:49:25 UTC
SUSE-SU-2020:2477-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1175223
CVE References: CVE-2020-7068
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php5-5.5.14-109.79.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2020-09-07 13:30:24 UTC
openSUSE-SU-2020:1356-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1175223
CVE References: CVE-2020-7068
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    php7-7.4.6-lp152.2.6.1, php7-test-7.4.6-lp152.2.6.1
Comment 13 Swamp Workflow Management 2020-09-07 13:39:18 UTC
openSUSE-SU-2020:1354-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (moderate)
Bug References: 1173786,1174010,1175223
CVE References: CVE-2020-7068
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    php7-7.2.5-lp151.6.32.1, php7-test-7.2.5-lp151.6.32.1
Comment 14 Marcus Meissner 2020-09-23 06:50:21 UTC
releaed