Bug 986247 (CVE-2016-5773)

Summary: VUL-0: CVE-2016-5773: php5,php53: ZipArchive class Use After Free Vulnerability in PHP's GC algorithm and unserialize
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P4 - Low CC: matthias.gerstner, pgajdos, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/170459/
Whiteboard: CVSSv2:SUSE:CVE-2016-5773:4.4:(AV:L/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:RedHat:CVE-2016-5773:5.1:(AV:N/AC:H/Au:N/C:P/I:P/A:P) CVSSv2:NVD:CVE-2016-5773:7.5:(AV:N/AC:L/Au:N/C:P/I:P/A:P) CVSSv3:NVD:CVE-2016-5773:9.8:(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSSv3:RedHat:CVE-2016-5773:5.6:(AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: xx.php
dirty approach to fix this in php 5.3
clean approach to fix this in php 5.3
ABI compatible fix
testcase modified by Matthias Gerstner

Description Marcus Meissner 2016-06-23 13:39:48 UTC
http://seclists.org/oss-sec/2016/q2/589

    - zip:
        Fixed bug #72434 (ZipArchive class Use After Free Vulnerability in PHP's GC
        algorithm and unserialize). (Dmitry)

    https://bugs.php.net/bug.php?id=72434
    http://git.php.net/?p=php-src.git;a=commitdiff;h=f6aef68089221c5ea047d4a74224ee3deead99a6


Use CVE-2016-5773. Note that, unlike bug #72433, this does affect PHP 7.x.
Comment 1 Swamp Workflow Management 2016-06-23 22:00:35 UTC
bugbot adjusting priority
Comment 2 Marcus Meissner 2016-06-24 09:33:11 UTC
Created attachment 682008 [details]
xx.php

QA REPRODUCER:

php xx.php

should return
array(1) refcount(1){
  [0]=>
  object(stdClass)#3 (0) refcount(3){
  }
}

I think
Comment 3 Petr Gajdos 2016-06-28 07:42:58 UTC
Not sure how the testcase should work.
Comment 4 Petr Gajdos 2016-06-28 14:01:11 UTC
Fixed in 13.2/php5 and 12/php5.
Comment 5 Marcus Meissner 2016-06-28 16:07:16 UTC
The behaviour seems to trigger for php 5.3

As Petr found, the garbage collection hooks work differently.

was checking the sources
Comment 6 Petr Gajdos 2016-06-29 08:03:04 UTC
(In reply to Marcus Meissner from comment #5)
> The behaviour seems to trigger for php 5.3

Actually, not for me. I get

$ php xx.php
array(1) refcount(1){
  [0]=>
  object(stdClass)#3 (0) refcount(3){
  }
}

$

which is the exact expected output from the test, as far as I can see. Without patching anything.

> As Petr found, the garbage collection hooks work differently.
> 
> was checking the sources

Will submit now without the fix for 5.3. Please reassign back to me as soon as the release happens, if you still want to fix this for 5.3.
Comment 7 Petr Gajdos 2016-06-29 08:20:46 UTC
(see also bug 986391)
Comment 8 Petr Gajdos 2016-06-29 08:40:10 UTC
Packages submitted.
Comment 9 Bernhard Wiedemann 2016-06-29 10:00:32 UTC
This is an autogenerated message for OBS integration:
This bug (986247) was mentioned in
https://build.opensuse.org/request/show/405425 13.2 / php5
Comment 10 Petr Gajdos 2016-06-29 10:42:20 UTC
(In reply to Petr Gajdos from comment #6)
> (In reply to Marcus Meissner from comment #5)
> > The behaviour seems to trigger for php 5.3
> 
> Actually, not for me. I get

Sorry, obvious mistake, forgot to install php5-zip. Now I get

$ php xx.php
string(13) "filler_zval_2" refcount(2)
$

even for php53, yes. Thanks Marcus.
Comment 11 Bernhard Wiedemann 2016-06-29 14:03:08 UTC
This is an autogenerated message for OBS integration:
This bug (986247) was mentioned in
https://build.opensuse.org/request/show/405458 13.2 / php5
Comment 12 Swamp Workflow Management 2016-07-07 16:08:58 UTC
openSUSE-SU-2016:1761-1: An update that fixes 9 vulnerabilities is now available.

Category: security (important)
Bug References: 986004,986244,986246,986247,986386,986388,986391,986392,986393
CVE References: CVE-2015-8935,CVE-2016-5766,CVE-2016-5767,CVE-2016-5768,CVE-2016-5769,CVE-2016-5770,CVE-2016-5771,CVE-2016-5772,CVE-2016-5773
Sources used:
openSUSE 13.2 (src):    php5-5.6.1-69.1
Comment 13 Marcus Meissner 2016-08-01 11:16:01 UTC
(not fixed yet for sle11/sle12)
Comment 14 Petr Gajdos 2016-11-07 10:05:25 UTC
Actually, sle12 is fixed (php-CVE-2016-5773.patch), just changelog entry was missing.
Comment 15 Petr Gajdos 2016-11-07 14:25:35 UTC
P4 for sle11.
Comment 18 Swamp Workflow Management 2016-12-02 15:14:20 UTC
SUSE-SU-2016:2975-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1008029,986247
CVE References: CVE-2016-5773,CVE-2016-9137
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    imap-2007e_suse-22.1
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    imap-2007e_suse-22.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    imap-2007e_suse-22.1, php5-5.5.14-86.2
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    imap-2007e_suse-22.1, php5-5.5.14-86.2
SUSE Linux Enterprise Module for Web Scripting 12 (src):    imap-2007e_suse-22.1, php5-5.5.14-86.2
SUSE Linux Enterprise Desktop 12-SP2 (src):    imap-2007e_suse-22.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    imap-2007e_suse-22.1
Comment 19 Swamp Workflow Management 2016-12-12 18:09:23 UTC
openSUSE-SU-2016:3095-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1008029,986247
CVE References: CVE-2016-5773,CVE-2016-9137
Sources used:
openSUSE Leap 42.2 (src):    php5-5.5.14-69.1
openSUSE Leap 42.1 (src):    php5-5.5.14-68.3
Comment 20 Marcus Meissner 2016-12-22 13:18:22 UTC
released
Comment 21 Swamp Workflow Management 2017-01-30 13:28:23 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2017-02-13.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63367
Comment 27 Matthias Gerstner 2018-02-01 16:01:07 UTC
Created attachment 758442 [details]
dirty approach to fix this in php 5.3
Comment 28 Matthias Gerstner 2018-02-01 16:01:38 UTC
Created attachment 758443 [details]
clean approach to fix this in php 5.3
Comment 29 Matthias Gerstner 2018-02-01 16:06:41 UTC
So here it goes. I have two different patches with two different approaches to fix this issue in php 5.3:

- attachment 758442 [details] contains the "dirty" but simple approach. It does not change any data structures. Since it compares a class name by string it might influence performance a little. Also it will not extend so well should we need more similar patches in the future.

- attachement 758443 contains the "clean" but a bit more complex approach. It introduces parts of the "get_gc" method infrastructure as found in php 5.4 onwards. This requires to extended global data structures and it's difficult to say if this has any side effects I'm not aware of. It is better for performance and can be extended easily should we need more similar patches in the future.

I've tested both patches and the reproducer does not trigger any more. Valgrind runs through cleanly. Please review and decide which patch to take :-)
Comment 30 Matthias Gerstner 2018-02-06 10:42:43 UTC
Created attachment 758972 [details]
ABI compatible fix
Comment 31 Matthias Gerstner 2018-02-06 10:45:43 UTC
Since the previous "clean" patch variant was not ABI compatible and the "dirty" patch was not good enough to support the fix of bug 986391 I've devised a new patch for this issue.

In attachment 758972 [details] you can find the new ABI compatible fix for php 5.3. The major difference to the previous "clean" patch is that we're misusing the get_closure handler field to mark extensions that support the extended global handlers structure.
Comment 32 Petr Gajdos 2018-02-06 17:47:16 UTC
Created attachment 759080 [details]
testcase modified by Matthias Gerstner
Comment 33 Petr Gajdos 2018-02-06 18:49:28 UTC
BEFORE

$ php xx_sle11.php 
No entry for terminal type "rxvt-unicode";
using dumb terminal settings.
array(1) refcount(1){
  [0]=>
  object(stdClass)#3 (0) refcount(2){
  }
}
string(0) "" refcount(1)
Segmentation fault (core dumped)
$

AFTER

$ php xx_sle11.php 
array(1) refcount(1){
  [0]=>
  object(stdClass)#3 (0) refcount(2){
  }
}
array(1) refcount(1){
  [0]=>
  object(stdClass)#3 (0) refcount(2){
  }
}
array(1) refcount(1){
  [0]=>
  object(stdClass)#3 (0) refcount(3){
  }
}
$
Comment 34 Petr Gajdos 2018-02-06 19:13:40 UTC
Packages submitted.
Thanks Matthias.
Comment 38 Swamp Workflow Management 2018-03-26 13:09:02 UTC
SUSE-SU-2018:0806-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 1076220,1076391,1080234,1083639,986247,986391
CVE References: CVE-2016-10712,CVE-2016-5771,CVE-2016-5773,CVE-2018-5711,CVE-2018-5712,CVE-2018-7584
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    php53-5.3.17-112.20.1
SUSE Linux Enterprise Server 11-SP4 (src):    php53-5.3.17-112.20.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    php53-5.3.17-112.20.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    php53-5.3.17-112.20.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    php53-5.3.17-112.20.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    php53-5.3.17-112.20.1
Comment 39 Marcus Meissner 2019-07-04 05:37:04 UTC
done