Bug 997230 (CVE-2016-7132)

Summary: VUL-0: CVE-2016-7132: php5, php7: wddx_deserialize null dereference in php_wddx_pop_element
Product: [Novell Products] SUSE Security Incidents Reporter: Victor Pereira <vpereira>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium    
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: CVSSv2:SUSE:CVE-2016-7132:5.0:(AV:N/AC:L/Au:N/C:N/I:N/A:P) CVSSv2:RedHat:CVE-2016-7132:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P) maint:running:63038:important CVSSv2:NVD:CVE-2016-7132:5.0:(AV:N/AC:L/Au:N/C:N/I:N/A:P) CVSSv3:NVD:CVE-2016-7132:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSSv3:RedHat:CVE-2016-7132:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Victor Pereira 2016-09-05 08:58:49 UTC
Description:
------------
If we add an element to boolean leaf of XML struct, a null pointer dereference will happen when the element is popped. 

Source code:
https://github.com/php/php-src/blob/PHP-5.6.24/ext/wddx/wddx.c#L985

static void php_wddx_pop_element(void *user_data, const XML_Char *name)
{
...
  if (Z_TYPE_P(ent2->data) == IS_ARRAY || Z_TYPE_P(ent2->data) == IS_OBJECT) {
    target_hash = HASH_OF(ent2->data);
...

GDB output
----------

$ gdb -q --args  /home/operac/build2/bin/php -n wdx13bis.php
...
Stopped reason: SIGSEGV
0x00000000015a8f84 in php_wddx_pop_element (user_data=0x7fffffffa200, name=<optimized out>) at /home/operac/build2/php-src-56/ext/wddx/wddx.c:997
997   if (Z_TYPE_P(ent2->data) == IS_ARRAY || Z_TYPE_P(ent2->data) == IS_OBJECT) {
gdb-peda$ bt
#0  0x00000000015a8f84 in php_wddx_pop_element (user_data=0x7fffffffa200, name=<optimized out>) at /home/operac/build2/php-src-56/ext/wddx/wddx.c:997
#1  0x00000000015eca92 in _end_element_handler (user=0x7ffff7f30650, name=<optimized out>) at /home/operac/build2/php-src-56/ext/xml/compat.c:228
...
gdb-peda$ p *ent2
$2 = {
  data = 0x0,                      
  type = ST_BOOLEAN,
  varname = 0x0
}

Test script:
---------------
<?php

$xml = <<<XML
<?xml version='1.0'?>
<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'>
<wddxPacket version="1.0">
    <var name="XXXX">
        <boolean value="1">
            <dateTime>1998-06-12T04:32:12+00</dateTime>
        </boolean>
    </var>
</wddxPacket>
XML;

$array = wddx_deserialize($xml);


Expected result:
----------------
No crash


Actual result:
--------------
operac@hp2:~/testafl/null$ /home/operac/build2/bin/php -v 
PHP 5.6.26-dev (cli) (built: Aug  7 2016 02:21:28) (DEBUG)
Copyright (c) 1997-2016 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2016 Zend Technologies

operac@hp2:~/testafl/null$ /home/operac/build2/bin/php -n wdx2.php
ASAN:SIGSEGV
=================================================================
==18201==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000014 (pc 0x0000015a8f84 bp 0x7ffc7e2c8dc0 sp 0x7ffc7e2c8c80 T0)
    #0 0x15a8f83 in php_wddx_pop_element /home/operac/build2/php-src-56/ext/wddx/wddx.c:997
    #1 0x15eca91 in _end_element_handler /home/operac/build2/php-src-56/ext/xml/compat.c:228
    #2 0x7f3964cac13c  (/usr/lib/x86_64-linux-gnu/libxml2.so.2+0x4a13c)
    #3 0x7f3964cb83bc  (/usr/lib/x86_64-linux-gnu/libxml2.so.2+0x563bc)
    #4 0x7f3964cb962a in xmlParseChunk (/usr/lib/x86_64-linux-gnu/libxml2.so.2+0x5762a)
    #5 0x15efa8a in php_XML_Parse /home/operac/build2/php-src-56/ext/xml/compat.c:605
    #6 0x15c6f82 in php_wddx_deserialize_ex /home/operac/build2/php-src-56/ext/wddx/wddx.c:1175
    #7 0x15c8037 in zif_wddx_deserialize /home/operac/build2/php-src-56/ext/wddx/wddx.c:1387
    #8 0x1d5bdc3 in zend_do_fcall_common_helper_SPEC /home/operac/build2/php-src-56/Zend/zend_vm_execute.h:558
    #9 0x1c0506c in execute_ex /home/operac/build2/php-src-56/Zend/zend_vm_execute.h:363
    #10 0x194cdb2 in zend_execute_scripts /home/operac/build2/php-src-56/Zend/zend.c:1341
    #11 0x169ad0f in php_execute_script /home/operac/build2/php-src-56/main/main.c:2613
    #12 0x1d64d96 in do_cli /home/operac/build2/php-src-56/sapi/cli/php_cli.c:994
    #13 0x4550a0 in main /home/operac/build2/php-src-56/sapi/cli/php_cli.c:1378
    #14 0x7f3963f4b82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #15 0x4556b8 in _start (/home/operac/build2/bin/php+0x4556b8)

References:
https://bugs.php.net/bug.php?id=72799 
https://github.com/php/php-src/commit/a14fdb9746262549bbbb96abb87338bacd147e1b?w=1
Comment 1 Petr Gajdos 2016-09-05 11:15:14 UTC
I have reproduced the segfault (where test.php is the testcase from comment 0) for 12, 11sp3 and 11. All versions are affected.
Comment 2 Petr Gajdos 2016-09-05 11:41:14 UTC
AFTER the result of the script is just string 'NULL'.
Comment 3 Swamp Workflow Management 2016-09-05 22:01:33 UTC
bugbot adjusting priority
Comment 4 Petr Gajdos 2016-09-08 13:12:10 UTC
Packages submitted.
Comment 5 Bernhard Wiedemann 2016-09-08 14:01:46 UTC
This is an autogenerated message for OBS integration:
This bug (997230) was mentioned in
https://build.opensuse.org/request/show/425708 13.2 / php5
Comment 8 Swamp Workflow Management 2016-09-16 19:12:10 UTC
SUSE-SU-2016:2328-1: An update that fixes 18 vulnerabilities is now available.

Category: security (important)
Bug References: 987530,991426,991427,991428,991429,991430,991433,991437,997206,997207,997208,997210,997211,997220,997225,997230,997257
CVE References: CVE-2014-3587,CVE-2016-3587,CVE-2016-5399,CVE-2016-6288,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6296,CVE-2016-6297,CVE-2016-7124,CVE-2016-7125,CVE-2016-7126,CVE-2016-7127,CVE-2016-7128,CVE-2016-7129,CVE-2016-7130,CVE-2016-7131,CVE-2016-7132
Sources used:
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    php53-5.3.17-55.1
SUSE Linux Enterprise Debuginfo 11-SP2 (src):    php53-5.3.17-55.1
Comment 9 Swamp Workflow Management 2016-09-19 17:10:37 UTC
openSUSE-SU-2016:2337-1: An update that fixes 10 vulnerabilities is now available.

Category: security (important)
Bug References: 997206,997207,997208,997210,997211,997220,997225,997230,997248,997257
CVE References: CVE-2016-7124,CVE-2016-7125,CVE-2016-7126,CVE-2016-7127,CVE-2016-7128,CVE-2016-7129,CVE-2016-7130,CVE-2016-7131,CVE-2016-7132,CVE-2016-7134
Sources used:
openSUSE 13.2 (src):    php5-5.6.1-75.2
Comment 11 Swamp Workflow Management 2016-09-28 13:13:06 UTC
SUSE-SU-2016:2408-1: An update that fixes 24 vulnerabilities is now available.

Category: security (important)
Bug References: 987530,987580,988032,991422,991424,991426,991427,991428,991429,991430,991433,991434,991437,997206,997207,997208,997210,997211,997220,997225,997230,997248,997257
CVE References: CVE-2014-3587,CVE-2016-3587,CVE-2016-5399,CVE-2016-6128,CVE-2016-6161,CVE-2016-6207,CVE-2016-6288,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6292,CVE-2016-6295,CVE-2016-6296,CVE-2016-6297,CVE-2016-7124,CVE-2016-7125,CVE-2016-7126,CVE-2016-7127,CVE-2016-7128,CVE-2016-7129,CVE-2016-7130,CVE-2016-7131,CVE-2016-7132,CVE-2016-7134
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    php5-5.5.14-73.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php5-5.5.14-73.1
Comment 13 Swamp Workflow Management 2016-10-04 15:14:25 UTC
openSUSE-SU-2016:2451-1: An update that fixes 24 vulnerabilities is now available.

Category: security (important)
Bug References: 987530,987580,988032,991422,991424,991426,991427,991428,991429,991430,991433,991434,991437,997206,997207,997208,997210,997211,997220,997225,997230,997248,997257
CVE References: CVE-2014-3587,CVE-2016-3587,CVE-2016-5399,CVE-2016-6128,CVE-2016-6161,CVE-2016-6207,CVE-2016-6288,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6292,CVE-2016-6295,CVE-2016-6296,CVE-2016-6297,CVE-2016-7124,CVE-2016-7125,CVE-2016-7126,CVE-2016-7127,CVE-2016-7128,CVE-2016-7129,CVE-2016-7130,CVE-2016-7131,CVE-2016-7132,CVE-2016-7134
Sources used:
openSUSE Leap 42.1 (src):    php5-5.5.14-59.1
Comment 14 Swamp Workflow Management 2016-10-05 16:13:34 UTC
SUSE-SU-2016:2459-1: An update that fixes 16 vulnerabilities is now available.

Category: security (important)
Bug References: 997206,997207,997208,997210,997211,997220,997225,997230,997257,999679,999680,999682,999684,999685,999819,999820
CVE References: CVE-2016-7124,CVE-2016-7125,CVE-2016-7126,CVE-2016-7127,CVE-2016-7128,CVE-2016-7129,CVE-2016-7130,CVE-2016-7131,CVE-2016-7132,CVE-2016-7411,CVE-2016-7412,CVE-2016-7413,CVE-2016-7414,CVE-2016-7416,CVE-2016-7417,CVE-2016-7418
Sources used:
SUSE OpenStack Cloud 5 (src):    php53-5.3.17-84.1
SUSE Manager Proxy 2.1 (src):    php53-5.3.17-84.1
SUSE Manager 2.1 (src):    php53-5.3.17-84.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    php53-5.3.17-84.1
SUSE Linux Enterprise Server 11-SP4 (src):    php53-5.3.17-84.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    php53-5.3.17-84.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    php53-5.3.17-84.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    php53-5.3.17-84.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    php53-5.3.17-84.1
Comment 15 Swamp Workflow Management 2016-10-05 19:12:07 UTC
SUSE-SU-2016:2460-1: An update that solves 29 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1001950,987580,988032,991422,991424,991426,991427,991428,991429,991430,991434,991437,995512,997206,997207,997208,997210,997211,997220,997225,997230,997247,997248,997257,999313,999679,999680,999684,999685,999819,999820
CVE References: CVE-2016-4473,CVE-2016-5399,CVE-2016-6128,CVE-2016-6161,CVE-2016-6207,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6292,CVE-2016-6295,CVE-2016-6296,CVE-2016-6297,CVE-2016-7124,CVE-2016-7125,CVE-2016-7126,CVE-2016-7127,CVE-2016-7128,CVE-2016-7129,CVE-2016-7130,CVE-2016-7131,CVE-2016-7132,CVE-2016-7133,CVE-2016-7134,CVE-2016-7412,CVE-2016-7413,CVE-2016-7414,CVE-2016-7416,CVE-2016-7417,CVE-2016-7418
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    php7-7.0.7-15.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php7-7.0.7-15.1
Comment 16 Marcus Meissner 2016-10-31 08:32:34 UTC
released
Comment 17 Swamp Workflow Management 2016-11-01 15:24:54 UTC
SUSE-SU-2016:2460-2: An update that solves 29 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1001950,987580,988032,991422,991424,991426,991427,991428,991429,991430,991434,991437,995512,997206,997207,997208,997210,997211,997220,997225,997230,997247,997248,997257,999313,999679,999680,999684,999685,999819,999820
CVE References: CVE-2016-4473,CVE-2016-5399,CVE-2016-6128,CVE-2016-6161,CVE-2016-6207,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6292,CVE-2016-6295,CVE-2016-6296,CVE-2016-6297,CVE-2016-7124,CVE-2016-7125,CVE-2016-7126,CVE-2016-7127,CVE-2016-7128,CVE-2016-7129,CVE-2016-7130,CVE-2016-7131,CVE-2016-7132,CVE-2016-7133,CVE-2016-7134,CVE-2016-7412,CVE-2016-7413,CVE-2016-7414,CVE-2016-7416,CVE-2016-7417,CVE-2016-7418
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php7-7.0.7-15.1
Comment 18 Swamp Workflow Management 2017-01-30 13:28:12 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2017-02-13.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63367