Bug 1177352 (CVE-2020-7070)

Summary: VUL-0: CVE-2020-7070: php72: Percent-encoded cookies can be used to overwrite existing prefixed cookie names
Product: [Novell Products] SUSE Security Incidents Reporter: Wolfgang Frisch <wolfgang.frisch>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: atoptsoglou, junguo.wang, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/268721/
See Also: https://bugzilla.suse.com/show_bug.cgi?id=1173351
Whiteboard: CVSSv3.1:SUSE:CVE-2020-7070:6.8:(AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Wolfgang Frisch 2020-10-06 08:06:01 UTC
CVE-2020-7070

In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11,
when PHP is processing incoming HTTP cookie values, the cookie names are
url-decoded. This may lead to cookies with prefixes like __Host confused with
cookies that decode to such prefix, thus leading to an attacker being able to
forge cookie which is supposed to be secure. See also CVE-2020-8184 for more
information.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-7070
http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-7070.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7070
http://cve.circl.lu/cve/CVE-2020-8184
https://bugs.php.net/bug.php?id=79699
https://hackerone.com/reports/895727
Comment 2 Petr Gajdos 2020-10-08 14:28:51 UTC
QA: note the amended tests
Comment 3 Petr Gajdos 2020-10-09 10:40:40 UTC
Will submit for 15sp2/php7, 15/php7, 12/php74, 12/php72, 12/php7, 12/php5, 11sp3/php53, 11/php5 and 10sp3/php5.

Comitted also to devel:languages:php:php56/php5.
Comment 5 Petr Gajdos 2020-10-09 11:12:47 UTC
Packages submitted. I believe all fixed.
Comment 10 Swamp Workflow Management 2020-10-12 19:14:27 UTC
SUSE-SU-2020:2894-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1177352
CVE References: CVE-2020-7070
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php5-5.5.14-109.82.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2020-10-13 16:18:02 UTC
SUSE-SU-2020:2896-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1173786,1177351,1177352
CVE References: CVE-2020-7069,CVE-2020-7070
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    php74-7.4.6-1.13.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php74-7.4.6-1.13.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2020-10-14 16:16:48 UTC
SUSE-SU-2020:14516-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1177352
CVE References: CVE-2020-7070
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    php53-5.3.17-112.93.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    php53-5.3.17-112.93.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    php53-5.3.17-112.93.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    php53-5.3.17-112.93.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2020-10-14 16:17:51 UTC
SUSE-SU-2020:2920-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1173786,1177352
CVE References: CVE-2020-7070
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    php7-7.0.7-50.102.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php7-7.0.7-50.102.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 jun wang 2020-10-15 05:58:08 UTC
I am testing php72 update(SUSE:Maintenance:16743:228349,php72-7.2.5-1.54.1), when running the tests "tests/basic/023.phpt" and "tests/basic/022.phpt" from the php72 source code, I got some failed results:

Actual Result:
================================================================
/root/jgwang/php-7.2.5/tests/basic/023.phpt
================================================================
array(4) {
  ["c_o_o_k_i_e"]=>
  string(5) "value"
  ["c%20o+o_k+i%20e"]=>              <------- is it expected?
  string(1) "v"
  ["name"]=>
  string(24) ""value","value",UEhQIQ=="
  ["UEhQIQ"]=>
  string(4) "=foo"
}
================================================================

Expected Result:
================================================================
array(3) {
  ["c_o_o_k_i_e"]=>
  string(5) "value"
  ["name"]=>
  string(24) ""value","value",UEhQIQ=="
  ["UEhQIQ"]=>
  string(4) "=foo"
}


# cat /root/jgwang/php-7.2.5/tests/basic/023.phpt
--TEST--
Cookies test#2
--INI--
max_input_vars=1000
filter.default=unsafe_raw
--COOKIE--
c o o k i e=value; c o o k i e= v a l u e ;;c%20o+o k+i%20e=v;name="value","value",UEhQIQ==;UEhQIQ==foo
--FILE--
<?php
var_dump($_COOKIE);
?>
--EXPECT--
array(3) {
  ["c_o_o_k_i_e"]=>
  string(5) "value"
  ["name"]=>
  string(24) ""value","value",UEhQIQ=="
  ["UEhQIQ"]=>
  string(4) "=foo"
}

from the test "tests/basic/022.phpt", it seems there is the similar issue:

Actual Result:
==========================================================
array(12) {
  ["cookie1"]=>                                                                                                                
  string(6) "val1  "
  ["cookie2"]=>
  string(5) "val2 "
  ["cookie3"]=>
  string(6) "val 3."
  ["cookie_4"]=>
  string(10) " value 4 ;"
  ["%20cookie1"]=>               <-------- is it expected ?
  string(6) "ignore"             <--------
  ["+cookie1"]=>                 <--------
  string(6) "ignore"             <--------
  ["cookie__5"]=>
  string(7) "  value"
  ["cookie%206"]=>               <--------
  string(3) "þæö"
  ["cookie+7"]=>
  string(0) ""
  ["$cookie_8"]=>
  string(0) ""
  ["cookie-9"]=>
  string(1) "1"
  ["-_&_%_$cookie_10"]=>
  string(2) "10"
}
=========================================================

Exepected result:
=========================================================
array(10) {
  ["cookie1"]=>
  string(6) "val1  "
  ["cookie2"]=>
  string(5) "val2 "
  ["cookie3"]=>
  string(6) "val 3."
  ["cookie_4"]=>
  string(10) " value 4 ;"
  ["cookie__5"]=>
  string(7) "  value"
  ["cookie_6"]=>
  string(3) "þæö"
  ["cookie_7"]=>
  string(0) ""
  ["$cookie_8"]=>
  string(0) ""
  ["cookie-9"]=>
  string(1) "1"
  ["-_&_%_$cookie_10"]=>
  string(2) "10"
}
==========================================================

are the fasles expected? I think these false is related with php72-CVE-2020-7070.patch, please check it.
Comment 15 jun wang 2020-10-15 06:35:25 UTC
checked the testcase from https://bugs.php.net/bug.php?id=79699, and it also failed:

--TEST--
Cookies Security Bug
--INI--
max_input_vars=1000
filter.default=unsafe_raw
--COOKIE--
__%48ost-evil=evil; __Host-evil=good; %66oo=baz;foo=bar
--FILE--
<?php
var_dump($_COOKIE);
?>
--EXPECT--
array(4) {
  ["__%48ost-evil=evil"]=>
  string(4) "evil"
  ["__Host-evil=good"]=>
  string(4) "good"
  ["%66oo"]=>
  string(3) "baz"
  ["foo"]=>
  string(3) "bar"
}


decompress php-7.2.5.tar.xz and get "run-tests.php", and then run the command after updating all packages:
"./run-tests.php -v -p /usr/bin/php7 ./CVE-2020-7070.phpt -s result"

# cat result
=====================================================================
FAILED TEST SUMMARY
---------------------------------------------------------------------
Cookies Security Bug [CVE-2020-7070.phpt]
=====================================================================


================================================================================
/root/jgwang/php-7.2.5/CVE-2020-7070.phpt
================================================================================
array(4) {
  ["__%48ost-evil"]=>                <--------
  string(4) "evil"
  ["__Host-evil"]=>                  <--------
  string(4) "good"
  ["%66oo"]=>
  string(3) "baz"
  ["foo"]=>
  string(3) "bar"
}
================================================================================
002+   ["__%48ost-evil"]=>^M
002-   ["__%48ost-evil=evil"]=>^M
004+   ["__Host-evil"]=>^M
004-   ["__Host-evil=good"]=>
================================================================================

this test failed, does it means that this bug is not fixed completely? or this result is expected?
Comment 17 Petr Gajdos 2020-10-15 12:44:25 UTC
(In reply to jun wang from comment #14)
[..]
> are the fasles expected? I think these false is related with
> php72-CVE-2020-7070.patch, please check it.

Could you please check comment 2 first?
Comment 18 Petr Gajdos 2020-10-15 13:04:38 UTC
(In reply to jun wang from comment #15)
> checked the testcase from https://bugs.php.net/bug.php?id=79699, and it also
> failed:

Check please the official testcase from the commit referenced in comment 1 instead.
Comment 19 jun wang 2020-10-16 00:17:00 UTC
(In reply to Petr Gajdos from comment #17)
> (In reply to jun wang from comment #14)
> [..]
> > are the fasles expected? I think these false is related with
> > php72-CVE-2020-7070.patch, please check it.
> 
> Could you please check comment 2 first?

yes, I think I need to update the testcase. Thank you
Comment 20 jun wang 2020-10-16 01:35:46 UTC
(In reply to Petr Gajdos from comment #18)
> Check please the official testcase from the commit referenced in comment 1
> instead.

everything works well after updating testcases, thank you for your help.
Comment 21 Petr Gajdos 2020-10-16 09:01:59 UTC
Thanks, reassigning back.
Comment 22 Swamp Workflow Management 2020-10-16 13:18:59 UTC
SUSE-SU-2020:2941-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1177351,1177352
CVE References: CVE-2020-7069,CVE-2020-7070
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 15-SP2 (src):    php7-7.4.6-3.11.1
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 (src):    php7-7.4.6-3.11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 23 Swamp Workflow Management 2020-10-16 13:20:06 UTC
SUSE-SU-2020:2943-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1173786,1177351,1177352
CVE References: CVE-2020-7069,CVE-2020-7070
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    php72-7.2.5-1.54.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php72-7.2.5-1.54.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 24 Swamp Workflow Management 2020-10-20 13:18:26 UTC
openSUSE-SU-2020:1703-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1177351,1177352
CVE References: CVE-2020-7069,CVE-2020-7070
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    php7-7.4.6-lp152.2.9.1, php7-test-7.4.6-lp152.2.9.1
Comment 25 Swamp Workflow Management 2020-10-22 13:29:24 UTC
SUSE-SU-2020:2997-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1173786,1177351,1177352
CVE References: CVE-2020-7069,CVE-2020-7070
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    php7-7.2.5-4.67.2
SUSE Linux Enterprise Server 15-LTSS (src):    php7-7.2.5-4.67.2
SUSE Linux Enterprise Module for Web Scripting 15-SP1 (src):    php7-7.2.5-4.67.2
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP1 (src):    php7-7.2.5-4.67.2
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    php7-7.2.5-4.67.2
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    php7-7.2.5-4.67.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 26 Alexandros Toptsoglou 2020-10-26 12:26:38 UTC
Done
Comment 27 Swamp Workflow Management 2020-10-29 23:16:37 UTC
openSUSE-SU-2020:1767-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1173786,1177351,1177352
CVE References: CVE-2020-7069,CVE-2020-7070
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    php7-7.2.5-lp151.6.36.7, php7-test-7.2.5-lp151.6.36.7