Bug 977000 (CVE-2016-4071)

Summary: VUL-0: CVE-2016-4071: php5,php53: php_snmp_error() Format String Vulnerability
Product: [Novell Products] SUSE Security Incidents Reporter: Johannes Segitz <jsegitz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/168266/
Whiteboard: CVSSv2:SUSE:CVE-2016-4071:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:RedHat:CVE-2016-4071:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Johannes Segitz 2016-04-25 08:40:14 UTC
php_snmp_error() Format String Vulnerability
    https://bugs.php.net/bug.php?id=71704
    https://git.php.net/?p=php-src.git;a=commit;h=6e25966544fb1d2f3d7596e060ce9c9269bbdcf8

    It was discovered that the PHP php_snmp_error() function incorrectly
    handled string formatting. A remote attacker could use this issue to cause
    PHP to crash, resulting in a denial of service, or possibly execute
    arbitrary code.

Use CVE-2016-4071.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4071
http://seclists.org/oss-sec/2016/q2/138
http://bugs.gw.com/view.php?id=522#c1237
Comment 1 Swamp Workflow Management 2016-04-25 22:01:14 UTC
bugbot adjusting priority
Comment 2 Petr Gajdos 2016-04-27 09:16:39 UTC
Tested on 13.2 and 12. 11sp3's and 11's php does not have php_snmp_error() function nor calls zend_throw_exception_ex.

Installed packages: php5, php5-snmp

$ cat test.php
<?php
$session = new SNMP(SNMP::VERSION_3, "127.0.0.1", "public");
$session->exceptions_enabled = SNMP::ERRNO_ANY;  // important!
try {
	$session->get("%x%x%x%x%x%x%x%x");
} catch (SNMPException $e) {
	echo $e->getMessage();
}
?>
$

BEFORE

$ valgrind php test.php
 ... many valgrind errors ...
$ 

AFTER

$ valgrind php test.php
  ... no valgrind error ...
$
Comment 3 Petr Gajdos 2016-04-28 13:44:47 UTC
Packages submitted.
Comment 4 Bernhard Wiedemann 2016-04-28 14:00:32 UTC
This is an autogenerated message for OBS integration:
This bug (977000) was mentioned in
https://build.opensuse.org/request/show/391944 13.2 / php5
Comment 6 Bernhard Wiedemann 2016-05-05 07:00:41 UTC
This is an autogenerated message for OBS integration:
This bug (977000) was mentioned in
https://build.opensuse.org/request/show/393784 13.2 / php5
Comment 8 Bernhard Wiedemann 2016-05-10 12:00:26 UTC
This is an autogenerated message for OBS integration:
This bug (977000) was mentioned in
https://build.opensuse.org/request/show/394633 13.2 / php5
Comment 10 Swamp Workflow Management 2016-05-11 12:08:23 UTC
openSUSE-SU-2016:1274-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 976775,976996,976997,977000,977003,977005
CVE References: CVE-2015-8866,CVE-2015-8867,CVE-2016-3074,CVE-2016-4070,CVE-2016-4071,CVE-2016-4073
Sources used:
openSUSE 13.2 (src):    php5-5.6.1-57.1
Comment 11 Swamp Workflow Management 2016-05-11 16:08:16 UTC
SUSE-SU-2016:1277-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 976996,976997,977000,977003,977005
CVE References: CVE-2015-8866,CVE-2015-8867,CVE-2016-4070,CVE-2016-4071,CVE-2016-4073
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    php5-5.5.14-56.1
SUSE Linux Enterprise Software Development Kit 12 (src):    php5-5.5.14-56.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php5-5.5.14-56.1
Comment 12 Swamp Workflow Management 2016-05-20 13:09:31 UTC
openSUSE-SU-2016:1373-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 976996,976997,977000,977003,977005
CVE References: CVE-2015-8866,CVE-2015-8867,CVE-2016-4070,CVE-2016-4071,CVE-2016-4073
Sources used:
openSUSE Leap 42.1 (src):    php5-5.5.14-47.1
Comment 13 Marcus Meissner 2016-08-01 09:27:25 UTC
released