Bug 1015188 - (CVE-2016-9934) VUL-0: CVE-2016-9934: php5,php53,php7: NULL Pointer Dereference in WDDX Packet Deserialization with PDORow
(CVE-2016-9934)
VUL-0: CVE-2016-9934: php5,php53,php7: NULL Pointer Dereference in WDDX Packe...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: unspecified
Assigned To: Security Team bot
Security Team bot
CVSSv2:SUSE:CVE-2016-9934:1.9:(AV:L/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-12-12 18:20 UTC by Mikhail Kasimov
Modified: 2017-09-20 06:38 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
CVE-2016-9934.php (192 bytes, text/plain)
2016-12-13 16:51 UTC, Marcus Meissner
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Mikhail Kasimov 2016-12-12 18:20:30 UTC
Reference: http://seclists.org/oss-sec/2016/q4/658
===================================================
    Fixed in PHP 5.6.28, 7.0.13 and 7.1.0:
    Bug #73331    NULL Pointer Dereference in WDDX Packet Deserialization with
    PDORow
    https://bugs.php.net/bug.php?id=73331
    https://github.com/php/php-src/commit/6045de69c7dedcba3eadf7c4bba424b19c81d00d


Use CVE-2016-9934. The scope of this CVE is everything fixed by
6045de69c7dedcba3eadf7c4bba424b19c81d00d. We could not immediately
determine whether the new "pdo_row_ce->unserialize =
zend_class_unserialize_deny" line, by itself, could stand as an
independent fix for a subset of the problem.
===================================================
Comment 1 Swamp Workflow Management 2016-12-12 23:02:27 UTC
bugbot adjusting priority
Comment 2 Marcus Meissner 2016-12-13 16:51:04 UTC
Created attachment 706309 [details]
CVE-2016-9934.php

QA REPRODUCER:

php CVE-2016-9934.php

should not crash
Comment 3 Marcus Meissner 2016-12-13 16:51:42 UTC
affects all branches
Comment 4 Petr Gajdos 2016-12-14 09:45:24 UTC
Patch fixes the segfault everywhere.
Comment 5 Petr Gajdos 2016-12-14 10:21:37 UTC
(In reply to Petr Gajdos from comment #4)
> Patch fixes the segfault everywhere.

That was little bit preliminary, this comment should have been added to another bug.

Packages required for testing: php, php-wddx and php-pdo
Comment 6 Petr Gajdos 2016-12-14 12:01:20 UTC
AFTER

$ php test.php
PHP Warning:  wddx_deserialize(): Class pdorow can not be unserialized in /015188/test.php on line 4
NULL
$
Comment 7 Petr Gajdos 2016-12-14 12:01:47 UTC
Yeah, patch fixes it everywhere.
Comment 8 Petr Gajdos 2016-12-14 13:44:34 UTC
QA, note the changed test in the commit.
Comment 9 Petr Gajdos 2016-12-14 19:07:01 UTC
Packages submitted.
Comment 11 Bernhard Wiedemann 2016-12-14 21:00:41 UTC
This is an autogenerated message for OBS integration:
This bug (1015188) was mentioned in
https://build.opensuse.org/request/show/445958 13.2 / php5
Comment 12 Swamp Workflow Management 2016-12-19 14:38:09 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2017-01-02.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63304
Comment 13 Swamp Workflow Management 2016-12-22 14:16:49 UTC
openSUSE-SU-2016:3239-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1015187,1015188,1015189
CVE References: CVE-2016-9933,CVE-2016-9934,CVE-2016-9935
Sources used:
openSUSE 13.2 (src):    php5-5.6.1-89.1
Comment 15 Swamp Workflow Management 2017-01-04 14:07:58 UTC
SUSE-SU-2017:0017-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1015187,1015188,1015189,1015191
CVE References: CVE-2016-9933,CVE-2016-9934,CVE-2016-9935,CVE-2016-9936
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    php7-7.0.7-28.2
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    php7-7.0.7-28.2
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php7-7.0.7-28.2
Comment 16 Swamp Workflow Management 2017-01-05 18:08:44 UTC
SUSE-SU-2017:0038-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1015187,1015188,1015189
CVE References: CVE-2016-9933,CVE-2016-9934,CVE-2016-9935
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    php5-5.5.14-89.2
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    php5-5.5.14-89.2
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php5-5.5.14-89.2
Comment 17 Swamp Workflow Management 2017-01-08 00:10:14 UTC
openSUSE-SU-2017:0061-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1015187,1015188,1015189,1015191
CVE References: CVE-2016-9933,CVE-2016-9934,CVE-2016-9935,CVE-2016-9936
Sources used:
openSUSE Leap 42.2 (src):    php7-7.0.7-9.1
Comment 18 Swamp Workflow Management 2017-01-08 00:22:05 UTC
openSUSE-SU-2017:0081-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1015187,1015188,1015189
CVE References: CVE-2016-9933,CVE-2016-9934,CVE-2016-9935
Sources used:
openSUSE Leap 42.2 (src):    php5-5.5.14-72.1
openSUSE Leap 42.1 (src):    php5-5.5.14-71.1
Comment 19 Swamp Workflow Management 2017-01-11 20:09:32 UTC
SUSE-SU-2017:0109-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1012232,1015187,1015188,1015189,974305
CVE References: CVE-2014-9912,CVE-2016-9933,CVE-2016-9934,CVE-2016-9935
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    php53-5.3.17-94.1
SUSE Linux Enterprise Server 11-SP4 (src):    php53-5.3.17-94.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    php53-5.3.17-94.1
Comment 21 Swamp Workflow Management 2017-01-30 13:27:01 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2017-02-13.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63367
Comment 23 Swamp Workflow Management 2017-03-03 17:08:51 UTC
openSUSE-SU-2017:0598-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1015187,1015188,1015189
CVE References: CVE-2016-9933,CVE-2016-9934,CVE-2016-9935
Sources used:
openSUSE Leap 42.2 (src):    php5-5.5.14-75.2
openSUSE Leap 42.1 (src):    php5-5.5.14-75.1
Comment 25 Marcus Meissner 2017-06-15 20:08:55 UTC
released