Bugzilla – Bug 1080234
VUL-0: CVE-2016-10712: php5,php53: The return values of stream_get_meta_data can be controlled if the input can be controlled (e.g., during file uploads)
Last modified: 2019-07-04 05:49:55 UTC
CVE-2016-10712 In PHP before 5.5.32, 5.6.x before 5.6.18, and 7.x before 7.0.3, all of the return values of stream_get_meta_data can be controlled if the input can be controlled (e.g., during file uploads). For example, a "$uri = stream_get_meta_data(fopen($file, "r"))['uri']" call mishandles the case where $file is data:text/plain;uri=eviluri, -- in other words, metadata can be set by an attacker. Upstream bug: https://bugs.php.net/bug.php?id=71323 Upstream fix: https://git.php.net/?p=php-src.git;a=commit;h=6297a117d77fa3a0df2e21ca926a92c231819cd5 php7 not affected, all others are AFAICS References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10712 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10712
Agreed: devel/php7: $ php -r 'var_dump(stream_get_meta_data(fopen("data:real/evil;mediatype=text/plain,", "r"))["mediatype"]);' string(9) "real/evil" $ 12/php7 $ php -r 'var_dump(stream_get_meta_data(fopen("data:real/evil;mediatype=text/plain,", "r"))["mediatype"]);' string(9) "real/evil" $ 11sp3/php53 $ php -r 'var_dump(stream_get_meta_data(fopen("data:real/evil;mediatype=text/plain,", "r")));' | grep -A 1 'mediatype.*=>' ["mediatype"]=> string(10) "text/plain" $ 11/php5 $ php -r 'var_dump(stream_get_meta_data(fopen("data:real/evil;mediatype=text/plain,", "r")));' | grep -A 1 'mediatype.*=>' ["mediatype"]=> string(10) "text/plain" $ PATCH https://git.php.net/?p=php-src.git;a=commit;h=6297a117d77fa3a0df2e21ca926a92c231819cd5 12/php7: has the fix included, not affected AFTER 12/php5 $ php -r 'var_dump(stream_get_meta_data(fopen("data:real/evil;mediatype=text/plain,", "r"))["mediatype"]);' string(9) "real/evil" $ 11sp3/php53 $ php -r 'var_dump(stream_get_meta_data(fopen("data:real/evil;mediatype=text/plain,", "r")));' | grep -A 1 'mediatype.*=>' ["mediatype"]=> string(9) "real/evil" $ 11/php5 php -r 'var_dump(stream_get_meta_data(fopen("data:real/evil;mediatype=text/plain,", "r")));' | grep -A 1 'mediatype.*=>' ["mediatype"]=> string(9) "real/evil" $
Will submit for: 12/php5, 11sp3/php53, 11/php5 and 10sp3/php5
Packages submitted.
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2018-02-19. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/63966
SUSE-SU-2018:0530-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1080234 CVE References: CVE-2016-10712 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP3 (src): php5-5.5.14-109.20.1 SUSE Linux Enterprise Software Development Kit 12-SP2 (src): php5-5.5.14-109.20.1 SUSE Linux Enterprise Module for Web Scripting 12 (src): php5-5.5.14-109.20.1
openSUSE-SU-2018:0538-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1080234 CVE References: CVE-2016-10712 Sources used: openSUSE Leap 42.3 (src): php5-5.5.14-94.1
SUSE-SU-2018:0806-1: An update that fixes 6 vulnerabilities is now available. Category: security (important) Bug References: 1076220,1076391,1080234,1083639,986247,986391 CVE References: CVE-2016-10712,CVE-2016-5771,CVE-2016-5773,CVE-2018-5711,CVE-2018-5712,CVE-2018-7584 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): php53-5.3.17-112.20.1 SUSE Linux Enterprise Server 11-SP4 (src): php53-5.3.17-112.20.1 SUSE Linux Enterprise Server 11-SP3-LTSS (src): php53-5.3.17-112.20.1 SUSE Linux Enterprise Point of Sale 11-SP3 (src): php53-5.3.17-112.20.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): php53-5.3.17-112.20.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): php53-5.3.17-112.20.1
released