First Last Prev Next    This bug is not in your last search results.
Bug 1048097 - (CVE-2017-11143) VUL-0: CVE-2017-11143: php5,php7,php53: In PHP before 5.6.31, an invalid free in the WDDX deserialization of booleanparameters could be used by attackers able to inject XML for deserialization tocrash the PHP interpreter, related to an in
(CVE-2017-11143)
VUL-0: CVE-2017-11143: php5,php7,php53: In PHP before 5.6.31, an invalid free...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/188241/
CVSSv2:NVD:CVE-2017-11143:5.0:(AV:N/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-11 05:30 UTC by Marcus Meissner
Modified: 2019-05-01 13:50 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
CVE-2017-11143.xml (217 bytes, text/plain)
2017-07-11 05:39 UTC, Marcus Meissner 		Details
CVE-2017-11143.php (153 bytes, text/plain)
2017-07-11 05:40 UTC, Marcus Meissner 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2017-07-11 05:30:54 UTC 
CVE-2017-11143

In PHP before 5.6.31, an invalid free in the WDDX deserialization of boolean
parameters could be used by attackers able to inject XML for deserialization to
crash the PHP interpreter, related to an invalid free for an empty boolean
element in ext/wddx/wddx.c.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11143
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11143
https://git.php.net/?p=php-src.git;a=commit;h=2aae60461c2ff7b7fbcdd194c789ac841d0747d7
https://bugs.php.net/bug.php?id=74145
Comment 1 Marcus Meissner 2017-07-11 05:35:44 UTC 
might not affect our distributions as the code has varied between php releases.
Comment 2 Marcus Meissner 2017-07-11 05:39:07 UTC 
Created attachment 731874 [details]
CVE-2017-11143.xml

QA REPRODUCER:

data file for next entry
CVE-2017-11143.xml
Comment 3 Marcus Meissner 2017-07-11 05:40:26 UTC 
Created attachment 731875 [details]
CVE-2017-11143.php

QA REPRODUCER:

php CVE-2017-11143.php

should not crash.

(it does not crash on my reference systems currently)
Comment 4 Petr Gajdos 2017-07-18 09:46:01 UTC 
I can not reproduce on 12/php7, 11sp3/php53, 11/php5 and 10sp3/php5:

$ USE_ZEND_ALLOC=0 valgrind --leak-check=full php CVE-2017-11143.php
==25178== Memcheck, a memory error detector
==25178== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al.
==25178== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info
==25178== Command: php CVE-2017-11143.php
==25178== 
NULL

==25178== 
==25178== HEAP SUMMARY:
==25178==     in use at exit: 224 bytes in 2 blocks
==25178==   total heap usage: 10,947 allocs, 10,945 frees, 2,830,684 bytes allocated
==25178== 
==25178== LEAK SUMMARY:
==25178==    definitely lost: 0 bytes in 0 blocks
==25178==    indirectly lost: 0 bytes in 0 blocks
==25178==      possibly lost: 0 bytes in 0 blocks
==25178==    still reachable: 224 bytes in 2 blocks
==25178==         suppressed: 0 bytes in 0 blocks
==25178== Reachable blocks (those to which a pointer was found) are not shown.
==25178== To see them, rerun with: --leak-check=full --show-reachable=yes
==25178== 
==25178== For counts of detected and suppressed errors, rerun with: -v
==25178== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 6 from 4)
$

I can reproduce on 12/php5:

$ php CVE-2017-11143.php
Segmentation fault (core dumped)
$
Comment 5 Petr Gajdos 2017-07-18 10:00:08 UTC 
(In reply to Petr Gajdos from comment #4)
[..]
> NULL
> 
[..]

'NULL' string is correct output of the test case, see phpt from the php git commit.
Comment 6 Petr Gajdos 2017-07-18 11:40:14 UTC 
I believe 12/php7, 11sp3/php53, 11/php5 and 10sp3/php5 is really not affected as ent.data seem to be correctly initialized there.
Comment 8 Petr Gajdos 2017-07-18 11:41:13 UTC 
Affected: 12/php5
Comment 9 Petr Gajdos 2017-07-21 12:51:48 UTC 
I believe all fixed.
Comment 13 Swamp Workflow Management 2017-09-01 01:07:56 UTC 
SUSE-SU-2017:2317-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1047454,1048094,1048096,1048097,1048111,1048112,1050241,1050726,986386
CVE References: CVE-2016-10397,CVE-2016-5766,CVE-2017-11143,CVE-2017-11144,CVE-2017-11145,CVE-2017-11146,CVE-2017-11147,CVE-2017-11628,CVE-2017-7890
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    php5-5.5.14-109.5.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    php5-5.5.14-109.5.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php5-5.5.14-109.5.1
Comment 14 Andreas Stieger 2017-09-05 21:49:53 UTC 
done
Comment 15 Swamp Workflow Management 2017-09-06 01:10:25 UTC 
openSUSE-SU-2017:2366-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1047454,1048094,1048096,1048097,1048111,1048112,1050241,1050726,986386
CVE References: CVE-2016-10397,CVE-2016-5766,CVE-2017-11143,CVE-2017-11144,CVE-2017-11145,CVE-2017-11146,CVE-2017-11147,CVE-2017-11628,CVE-2017-7890
Sources used:
openSUSE Leap 42.3 (src):    php5-5.5.14-82.1
openSUSE Leap 42.2 (src):    php5-5.5.14-77.9.1
First Last Prev Next    This bug is not in your last search results.