Bug 991437 (CVE-2016-6296)

Summary: VUL-0: CVE-2016-6296: php: Heap buffer overflow vulnerability in simplestring_addn in simplestring.c
Product: [Novell Products] SUSE Security Incidents Reporter: Sebastian Krahmer <krahmer>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P3 - Medium CC: meissner, security-team, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/171319/
Whiteboard: CVSSv2:RedHat:CVE-2016-6296:3.7:(AV:L/AC:H/Au:N/C:P/I:P/A:P) CVSSv2:SUSE:CVE-2016-6296:3.7:(AV:L/AC:H/Au:N/C:P/I:P/A:P) maint:running:62922:moderate CVSSv2:NVD:CVE-2016-6296:7.5:(AV:N/AC:L/Au:N/C:P/I:P/A:P) CVSSv3:RedHat:CVE-2016-6296:7.0:(AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) CVSSv3:NVD:CVE-2016-6296:9.8:(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: CVE-2016-6296.php

Description Sebastian Krahmer 2016-08-01 09:11:23 UTC
Quoting from RH BZ:

It was found that String length checks in simplestring_addn in simplestring.c use length as signed integers, which can be used by a malicious php script to cause out of bounds write on the heap.


rh#1359822

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1359822
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6296
http://seclists.org/oss-sec/2016/q3/137
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6296.html
http://www.debian.org/security/2016/dsa-3631
http://www.cvedetails.com/cve/CVE-2016-6296/
Comment 1 Petr Gajdos 2016-08-02 08:47:12 UTC
Quoting from RH BZ (useful info):

It was found that String length checks in simplestring_addn in simplestring.c use length as signed integers, which can be used by a malicious php script to cause out of bounds write on the heap.

PHP bug:

https://bugs.php.net/bug.php?id=72606

PHP fix:

http://git.php.net/?p=php-src.git;a=commit;h=e6c48213c22ed50b2b987b479fcc1ac709394caa

CVE assignment:

http://seclists.org/oss-sec/2016/q3/137
Comment 2 Petr Gajdos 2016-08-03 14:33:35 UTC
Not sure how to reproduce with the testcase from the php bug without address sanitizer. The code is everywhere, though, so considering all affected.
Comment 3 Petr Gajdos 2016-08-04 08:59:48 UTC
I believe all affected code streams fixed.
Comment 4 Bernhard Wiedemann 2016-08-04 10:03:02 UTC
This is an autogenerated message for OBS integration:
This bug (991437) was mentioned in
https://build.opensuse.org/request/show/416889 13.2 / php5
Comment 8 Swamp Workflow Management 2016-08-15 13:10:25 UTC
openSUSE-SU-2016:2071-1: An update that fixes 12 vulnerabilities is now available.

Category: security (moderate)
Bug References: 987580,988032,991422,991424,991426,991427,991428,991429,991430,991433,991434,991437
CVE References: CVE-2016-5399,CVE-2016-6128,CVE-2016-6161,CVE-2016-6207,CVE-2016-6288,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6292,CVE-2016-6295,CVE-2016-6296,CVE-2016-6297
Sources used:
openSUSE 13.2 (src):    php5-5.6.1-72.1
Comment 9 Swamp Workflow Management 2016-08-16 11:11:54 UTC
SUSE-SU-2016:2080-1: An update that fixes 12 vulnerabilities is now available.

Category: security (important)
Bug References: 986004,986244,986386,986388,986393,991426,991427,991428,991429,991430,991433,991437
CVE References: CVE-2015-8935,CVE-2016-5399,CVE-2016-5766,CVE-2016-5767,CVE-2016-5769,CVE-2016-5772,CVE-2016-6288,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6296,CVE-2016-6297
Sources used:
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    php5-5.2.14-0.7.30.89.1
SUSE Linux Enterprise Debuginfo 11-SP2 (src):    php5-5.2.14-0.7.30.89.1
Comment 10 Marcus Meissner 2016-08-23 06:53:35 UTC
Created attachment 689050 [details]
CVE-2016-6296.php

QA REPRODUCER:

php CVE-2016-6296.php

(might not reproduce, takes long and much memory)
Comment 11 Swamp Workflow Management 2016-09-01 16:10:54 UTC
SUSE-SU-2016:2210-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 987530,991426,991427,991428,991429,991430,991433,991437
CVE References: CVE-2014-3587,CVE-2016-3587,CVE-2016-5399,CVE-2016-6288,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6296,CVE-2016-6297
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    php53-5.3.17-79.2
SUSE Linux Enterprise Server 11-SP4 (src):    php53-5.3.17-79.2
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    php53-5.3.17-79.2
Comment 12 Swamp Workflow Management 2016-09-16 19:10:38 UTC
SUSE-SU-2016:2328-1: An update that fixes 18 vulnerabilities is now available.

Category: security (important)
Bug References: 987530,991426,991427,991428,991429,991430,991433,991437,997206,997207,997208,997210,997211,997220,997225,997230,997257
CVE References: CVE-2014-3587,CVE-2016-3587,CVE-2016-5399,CVE-2016-6288,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6296,CVE-2016-6297,CVE-2016-7124,CVE-2016-7125,CVE-2016-7126,CVE-2016-7127,CVE-2016-7128,CVE-2016-7129,CVE-2016-7130,CVE-2016-7131,CVE-2016-7132
Sources used:
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    php53-5.3.17-55.1
SUSE Linux Enterprise Debuginfo 11-SP2 (src):    php53-5.3.17-55.1
Comment 13 Swamp Workflow Management 2016-09-28 13:11:53 UTC
SUSE-SU-2016:2408-1: An update that fixes 24 vulnerabilities is now available.

Category: security (important)
Bug References: 987530,987580,988032,991422,991424,991426,991427,991428,991429,991430,991433,991434,991437,997206,997207,997208,997210,997211,997220,997225,997230,997248,997257
CVE References: CVE-2014-3587,CVE-2016-3587,CVE-2016-5399,CVE-2016-6128,CVE-2016-6161,CVE-2016-6207,CVE-2016-6288,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6292,CVE-2016-6295,CVE-2016-6296,CVE-2016-6297,CVE-2016-7124,CVE-2016-7125,CVE-2016-7126,CVE-2016-7127,CVE-2016-7128,CVE-2016-7129,CVE-2016-7130,CVE-2016-7131,CVE-2016-7132,CVE-2016-7134
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    php5-5.5.14-73.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php5-5.5.14-73.1
Comment 14 Swamp Workflow Management 2016-10-04 15:13:13 UTC
openSUSE-SU-2016:2451-1: An update that fixes 24 vulnerabilities is now available.

Category: security (important)
Bug References: 987530,987580,988032,991422,991424,991426,991427,991428,991429,991430,991433,991434,991437,997206,997207,997208,997210,997211,997220,997225,997230,997248,997257
CVE References: CVE-2014-3587,CVE-2016-3587,CVE-2016-5399,CVE-2016-6128,CVE-2016-6161,CVE-2016-6207,CVE-2016-6288,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6292,CVE-2016-6295,CVE-2016-6296,CVE-2016-6297,CVE-2016-7124,CVE-2016-7125,CVE-2016-7126,CVE-2016-7127,CVE-2016-7128,CVE-2016-7129,CVE-2016-7130,CVE-2016-7131,CVE-2016-7132,CVE-2016-7134
Sources used:
openSUSE Leap 42.1 (src):    php5-5.5.14-59.1
Comment 15 Swamp Workflow Management 2016-10-05 19:10:42 UTC
SUSE-SU-2016:2460-1: An update that solves 29 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1001950,987580,988032,991422,991424,991426,991427,991428,991429,991430,991434,991437,995512,997206,997207,997208,997210,997211,997220,997225,997230,997247,997248,997257,999313,999679,999680,999684,999685,999819,999820
CVE References: CVE-2016-4473,CVE-2016-5399,CVE-2016-6128,CVE-2016-6161,CVE-2016-6207,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6292,CVE-2016-6295,CVE-2016-6296,CVE-2016-6297,CVE-2016-7124,CVE-2016-7125,CVE-2016-7126,CVE-2016-7127,CVE-2016-7128,CVE-2016-7129,CVE-2016-7130,CVE-2016-7131,CVE-2016-7132,CVE-2016-7133,CVE-2016-7134,CVE-2016-7412,CVE-2016-7413,CVE-2016-7414,CVE-2016-7416,CVE-2016-7417,CVE-2016-7418
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    php7-7.0.7-15.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php7-7.0.7-15.1
Comment 16 Marcus Meissner 2016-10-31 08:22:49 UTC
released
Comment 17 Swamp Workflow Management 2016-11-01 15:23:30 UTC
SUSE-SU-2016:2460-2: An update that solves 29 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1001950,987580,988032,991422,991424,991426,991427,991428,991429,991430,991434,991437,995512,997206,997207,997208,997210,997211,997220,997225,997230,997247,997248,997257,999313,999679,999680,999684,999685,999819,999820
CVE References: CVE-2016-4473,CVE-2016-5399,CVE-2016-6128,CVE-2016-6161,CVE-2016-6207,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6292,CVE-2016-6295,CVE-2016-6296,CVE-2016-6297,CVE-2016-7124,CVE-2016-7125,CVE-2016-7126,CVE-2016-7127,CVE-2016-7128,CVE-2016-7129,CVE-2016-7130,CVE-2016-7131,CVE-2016-7132,CVE-2016-7133,CVE-2016-7134,CVE-2016-7412,CVE-2016-7413,CVE-2016-7414,CVE-2016-7416,CVE-2016-7417,CVE-2016-7418
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php7-7.0.7-15.1