Bug 999682 (CVE-2016-7411)

Summary: VUL-0: CVE-2016-7411: php5: Memory corruption when destructing deserialized object
Product: [Novell Products] SUSE Security Incidents Reporter: Victor Pereira <vpereira>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: meissner, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/172668/
Whiteboard: maint:running:63038:important CVSSv2:NVD:CVE-2016-7411:7.5:(AV:N/AC:L/Au:N/C:P/I:P/A:P) CVSSv2:RedHat:CVE-2016-7411:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVSSv3:RedHat:CVE-2016-7411:5.3:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) CVSSv3:NVD:CVE-2016-7411:9.8:(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Victor Pereira 2016-09-19 14:15:48 UTC
rh#1377303

It was found that if object deserialization fails, object's properties will be cleaned, but the object will still remain stored in objects_store. When calling desctructor with uninitialized properties, memory corruption may happen.

Upstream bug:

https://bugs.php.net/bug.php?id=73052

Upstream patch:

https://github.com/php/php-src/commit/6a7cc8ff85827fa9ac715b3a83c2d9147f33cd43?w=1



References:
https://bugzilla.redhat.com/show_bug.cgi?id=1377303
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7411
http://seclists.org/oss-sec/2016/q3/518
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7411.html
http://www.cvedetails.com/cve/CVE-2016-7411/
Comment 1 Swamp Workflow Management 2016-09-19 22:02:04 UTC
bugbot adjusting priority
Comment 2 Petr Gajdos 2016-09-21 13:37:17 UTC
With 13.2 and 12 the sign of reproducing by 
  USE_ZEND_ALLOC=0 php test.php
is the segfault. Not the case of 11sp3 and 11 or 12/php7 (nor valgrind errors there).

As the code is not there in 12/php7 and the CVE was originally requested for php5 and not php7 in the opposite to other CVEs (http://www.openwall.com/lists/oss-security/2016/09/15/6), considering unaffected.

For 11sp3 and 11 the code is there, considering affected.
Comment 3 Bernhard Wiedemann 2016-09-23 10:01:04 UTC
This is an autogenerated message for OBS integration:
This bug (999682) was mentioned in
https://build.opensuse.org/request/show/429748 13.2 / php5
https://build.opensuse.org/request/show/429753 13.2 / php5
Comment 5 Petr Gajdos 2016-09-23 11:16:06 UTC
I believe all fixed.
Comment 7 Swamp Workflow Management 2016-10-04 14:10:50 UTC
openSUSE-SU-2016:2444-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 999679,999680,999682,999684,999685,999819,999820
CVE References: CVE-2016-7411,CVE-2016-7412,CVE-2016-7413,CVE-2016-7414,CVE-2016-7416,CVE-2016-7417,CVE-2016-7418
Sources used:
openSUSE 13.2 (src):    php5-5.6.1-78.1
Comment 8 Swamp Workflow Management 2016-10-05 16:14:07 UTC
SUSE-SU-2016:2459-1: An update that fixes 16 vulnerabilities is now available.

Category: security (important)
Bug References: 997206,997207,997208,997210,997211,997220,997225,997230,997257,999679,999680,999682,999684,999685,999819,999820
CVE References: CVE-2016-7124,CVE-2016-7125,CVE-2016-7126,CVE-2016-7127,CVE-2016-7128,CVE-2016-7129,CVE-2016-7130,CVE-2016-7131,CVE-2016-7132,CVE-2016-7411,CVE-2016-7412,CVE-2016-7413,CVE-2016-7414,CVE-2016-7416,CVE-2016-7417,CVE-2016-7418
Sources used:
SUSE OpenStack Cloud 5 (src):    php53-5.3.17-84.1
SUSE Manager Proxy 2.1 (src):    php53-5.3.17-84.1
SUSE Manager 2.1 (src):    php53-5.3.17-84.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    php53-5.3.17-84.1
SUSE Linux Enterprise Server 11-SP4 (src):    php53-5.3.17-84.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    php53-5.3.17-84.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    php53-5.3.17-84.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    php53-5.3.17-84.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    php53-5.3.17-84.1
Comment 9 Swamp Workflow Management 2016-10-05 23:08:57 UTC
SUSE-SU-2016:2461-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 999679,999680,999682,999684,999685,999819,999820
CVE References: CVE-2016-7411,CVE-2016-7412,CVE-2016-7413,CVE-2016-7414,CVE-2016-7416,CVE-2016-7417,CVE-2016-7418
Sources used:
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    php53-5.3.17-58.1
SUSE Linux Enterprise Debuginfo 11-SP2 (src):    php53-5.3.17-58.1
Comment 10 Swamp Workflow Management 2016-10-07 19:13:16 UTC
SUSE-SU-2016:2477-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 999679,999680,999682,999684,999685,999819,999820
CVE References: CVE-2016-7411,CVE-2016-7412,CVE-2016-7413,CVE-2016-7414,CVE-2016-7416,CVE-2016-7417,CVE-2016-7418
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    php5-5.5.14-78.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php5-5.5.14-78.1
Comment 11 Swamp Workflow Management 2016-10-14 14:12:04 UTC
openSUSE-SU-2016:2540-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 999679,999680,999682,999684,999685,999819,999820
CVE References: CVE-2016-7411,CVE-2016-7412,CVE-2016-7413,CVE-2016-7414,CVE-2016-7416,CVE-2016-7417,CVE-2016-7418
Sources used:
openSUSE Leap 42.1 (src):    php5-5.5.14-62.1
Comment 12 Marcus Meissner 2016-10-31 08:42:52 UTC
released
Comment 13 Swamp Workflow Management 2016-11-01 15:07:48 UTC
SUSE-SU-2016:2477-2: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 999679,999680,999682,999684,999685,999819,999820
CVE References: CVE-2016-7411,CVE-2016-7412,CVE-2016-7413,CVE-2016-7414,CVE-2016-7416,CVE-2016-7417,CVE-2016-7418
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php5-5.5.14-78.1