Bug 986388 (CVE-2016-5769)

Summary: VUL-0: CVE-2016-5769: php5,php53: mcrypt: Heap Overflow due to integer overflows
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: astieger, krahmer, meissner, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/170464/
Whiteboard: CVSSv2:SUSE:CVE-2016-5769:5.1:(AV:N/AC:H/Au:N/C:P/I:P/A:P) CVSSv2:RedHat:CVE-2016-5769:5.1:(AV:N/AC:H/Au:N/C:P/I:P/A:P) maint:running:62922:moderate
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: xx.php

Description Marcus Meissner 2016-06-24 10:14:49 UTC
http://seclists.org/oss-sec/2016/q2/589

    - mcrypt:
         Fixed bug #72455 (Heap Overflow due to integer overflows). (Stas)

    https://bugs.php.net/bug.php?id=72455
    http://git.php.net/?p=php-src.git;a=commitdiff;h=6c5211a0cef0cc2854eaa387e0eb036e012904d0


Use CVE-2016-5769 for both the mcrypt_generic issue and the mdecrypt_generic issue.
Comment 1 Marcus Meissner 2016-06-24 10:17:38 UTC
Created attachment 682016 [details]
xx.php

QA REPRODUCER:

php xx.php


segmentation fault 


(note: uses several GB of memory)
Comment 2 Swamp Workflow Management 2016-06-24 22:00:55 UTC
bugbot adjusting priority
Comment 3 Petr Gajdos 2016-06-27 11:59:12 UTC
Reproduced in 12sp2/php7 and 11/php5.
Comment 4 Petr Gajdos 2016-06-27 15:07:04 UTC
I tend to agree with reporter in the php bug (see the comment [2016-06-27 06:39 UTC]). I would propose following instead:

  if ((int)data_len - 1 <= 0) {
    php_error_docref(NULL TSRMLS_CC, E_WARNING, "Integer overflow in data size");
    RETURN_FALSE;
  }

AFTER:

$ php test.php
PHP Warning:  mdecrypt_generic(): Integer overflow in data size in /986388/test.php on line 16
$

(bails out immediately)

What do you think?
Comment 5 Marcus Meissner 2016-06-28 15:44:28 UTC
good, but also i would check for

(data_len >= INT_MAX-block_size)

because the code is rounding to the next block_size, and could still overflow in that calculation.


also the else branch has a emalloc( data_size+1 ) usage, it also needs a check.
Comment 6 Petr Gajdos 2016-06-29 07:21:10 UTC
(In reply to Marcus Meissner from comment #5)
> good, but also i would check for
> 
> (data_len >= INT_MAX-block_size)
> 
> because the code is rounding to the next block_size, and could still
> overflow in that calculation.

Ok, make sense.
 
> also the else branch has a emalloc( data_size+1 ) usage, it also needs a
> check.

Yeah. But that is out of scope of this CVE/bug. Unfortunately, there are many more to be checked, for sure. For example, there's another 'It's a block algorithm' block down in php_mcrypt_do_crypt(). Is it affected or not?
Comment 7 Petr Gajdos 2016-06-29 08:43:31 UTC
Packages submitted.
Comment 9 Bernhard Wiedemann 2016-06-29 10:00:48 UTC
This is an autogenerated message for OBS integration:
This bug (986388) was mentioned in
https://build.opensuse.org/request/show/405425 13.2 / php5
Comment 11 Bernhard Wiedemann 2016-06-29 14:03:27 UTC
This is an autogenerated message for OBS integration:
This bug (986388) was mentioned in
https://build.opensuse.org/request/show/405458 13.2 / php5
Comment 12 Swamp Workflow Management 2016-07-07 16:09:17 UTC
openSUSE-SU-2016:1761-1: An update that fixes 9 vulnerabilities is now available.

Category: security (important)
Bug References: 986004,986244,986246,986247,986386,986388,986391,986392,986393
CVE References: CVE-2015-8935,CVE-2016-5766,CVE-2016-5767,CVE-2016-5768,CVE-2016-5769,CVE-2016-5770,CVE-2016-5771,CVE-2016-5772,CVE-2016-5773
Sources used:
openSUSE 13.2 (src):    php5-5.6.1-69.1
Comment 15 Swamp Workflow Management 2016-07-20 22:10:15 UTC
SUSE-SU-2016:1842-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 986004,986244,986246,986386,986388,986391,986392,986393,988486
CVE References: CVE-2015-8935,CVE-2016-5385,CVE-2016-5766,CVE-2016-5767,CVE-2016-5768,CVE-2016-5769,CVE-2016-5770,CVE-2016-5771,CVE-2016-5772
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    php5-5.5.14-68.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php5-5.5.14-68.1
Comment 16 Swamp Workflow Management 2016-08-01 03:10:02 UTC
openSUSE-SU-2016:1922-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 986004,986244,986246,986386,986388,986391,986392,986393,988486
CVE References: CVE-2015-8935,CVE-2016-5385,CVE-2016-5766,CVE-2016-5767,CVE-2016-5768,CVE-2016-5769,CVE-2016-5770,CVE-2016-5771,CVE-2016-5772
Sources used:
openSUSE Leap 42.1 (src):    php5-5.5.14-56.1
Comment 19 Swamp Workflow Management 2016-08-09 15:38:34 UTC
SUSE-SU-2016:2013-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 986004,986244,986386,986388,986393
CVE References: CVE-2015-8935,CVE-2016-5766,CVE-2016-5767,CVE-2016-5769,CVE-2016-5772
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    php53-5.3.17-74.1
SUSE Linux Enterprise Server 11-SP4 (src):    php53-5.3.17-74.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    php53-5.3.17-74.1
Comment 20 Sebastian Krahmer 2016-08-10 10:03:09 UTC
CVSSv2:SUSE:CVE-2016-5769:5.1:(AV:N/AC:H/Au:N/C:P/I:P/A:P)
Comment 21 Swamp Workflow Management 2016-08-16 11:10:41 UTC
SUSE-SU-2016:2080-1: An update that fixes 12 vulnerabilities is now available.

Category: security (important)
Bug References: 986004,986244,986386,986388,986393,991426,991427,991428,991429,991430,991433,991437
CVE References: CVE-2015-8935,CVE-2016-5399,CVE-2016-5766,CVE-2016-5767,CVE-2016-5769,CVE-2016-5772,CVE-2016-6288,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6296,CVE-2016-6297
Sources used:
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    php5-5.2.14-0.7.30.89.1
SUSE Linux Enterprise Debuginfo 11-SP2 (src):    php5-5.2.14-0.7.30.89.1