Bug 1177352 - (CVE-2020-7070) VUL-0: CVE-2020-7070: php72: Percent-encoded cookies can be used to overwrite existing prefixed cookie names
(CVE-2020-7070)
VUL-0: CVE-2020-7070: php72: Percent-encoded cookies can be used to overwrite...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/268721/
CVSSv3.1:SUSE:CVE-2020-7070:6.8:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-10-06 08:06 UTC by Wolfgang Frisch
Modified: 2020-10-29 23:16 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Wolfgang Frisch 2020-10-06 08:06:01 UTC
CVE-2020-7070

In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11,
when PHP is processing incoming HTTP cookie values, the cookie names are
url-decoded. This may lead to cookies with prefixes like __Host confused with
cookies that decode to such prefix, thus leading to an attacker being able to
forge cookie which is supposed to be secure. See also CVE-2020-8184 for more
information.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-7070
http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-7070.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7070
http://cve.circl.lu/cve/CVE-2020-8184
https://bugs.php.net/bug.php?id=79699
https://hackerone.com/reports/895727
Comment 2 Petr Gajdos 2020-10-08 14:28:51 UTC
QA: note the amended tests
Comment 3 Petr Gajdos 2020-10-09 10:40:40 UTC
Will submit for 15sp2/php7, 15/php7, 12/php74, 12/php72, 12/php7, 12/php5, 11sp3/php53, 11/php5 and 10sp3/php5.

Comitted also to devel:languages:php:php56/php5.
Comment 5 Petr Gajdos 2020-10-09 11:12:47 UTC
Packages submitted. I believe all fixed.
Comment 10 Swamp Workflow Management 2020-10-12 19:14:27 UTC
SUSE-SU-2020:2894-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1177352
CVE References: CVE-2020-7070
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php5-5.5.14-109.82.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2020-10-13 16:18:02 UTC
SUSE-SU-2020:2896-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1173786,1177351,1177352
CVE References: CVE-2020-7069,CVE-2020-7070
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    php74-7.4.6-1.13.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php74-7.4.6-1.13.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2020-10-14 16:16:48 UTC
SUSE-SU-2020:14516-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1177352
CVE References: CVE-2020-7070
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    php53-5.3.17-112.93.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    php53-5.3.17-112.93.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    php53-5.3.17-112.93.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    php53-5.3.17-112.93.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2020-10-14 16:17:51 UTC
SUSE-SU-2020:2920-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1173786,1177352
CVE References: CVE-2020-7070
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    php7-7.0.7-50.102.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php7-7.0.7-50.102.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 jun wang 2020-10-15 05:58:08 UTC
I am testing php72 update(SUSE:Maintenance:16743:228349,php72-7.2.5-1.54.1), when running the tests "tests/basic/023.phpt" and "tests/basic/022.phpt" from the php72 source code, I got some failed results:

Actual Result:
================================================================
/root/jgwang/php-7.2.5/tests/basic/023.phpt
================================================================
array(4) {
  ["c_o_o_k_i_e"]=>
  string(5) "value"
  ["c%20o+o_k+i%20e"]=>              <------- is it expected?
  string(1) "v"
  ["name"]=>
  string(24) ""value","value",UEhQIQ=="
  ["UEhQIQ"]=>
  string(4) "=foo"
}
================================================================

Expected Result:
================================================================
array(3) {
  ["c_o_o_k_i_e"]=>
  string(5) "value"
  ["name"]=>
  string(24) ""value","value",UEhQIQ=="
  ["UEhQIQ"]=>
  string(4) "=foo"
}


# cat /root/jgwang/php-7.2.5/tests/basic/023.phpt
--TEST--
Cookies test#2
--INI--
max_input_vars=1000
filter.default=unsafe_raw
--COOKIE--
c o o k i e=value; c o o k i e= v a l u e ;;c%20o+o k+i%20e=v;name="value","value",UEhQIQ==;UEhQIQ==foo
--FILE--
<?php
var_dump($_COOKIE);
?>
--EXPECT--
array(3) {
  ["c_o_o_k_i_e"]=>
  string(5) "value"
  ["name"]=>
  string(24) ""value","value",UEhQIQ=="
  ["UEhQIQ"]=>
  string(4) "=foo"
}

from the test "tests/basic/022.phpt", it seems there is the similar issue:

Actual Result:
==========================================================
array(12) {
  ["cookie1"]=>                                                                                                                
  string(6) "val1  "
  ["cookie2"]=>
  string(5) "val2 "
  ["cookie3"]=>
  string(6) "val 3."
  ["cookie_4"]=>
  string(10) " value 4 ;"
  ["%20cookie1"]=>               <-------- is it expected ?
  string(6) "ignore"             <--------
  ["+cookie1"]=>                 <--------
  string(6) "ignore"             <--------
  ["cookie__5"]=>
  string(7) "  value"
  ["cookie%206"]=>               <--------
  string(3) "þæö"
  ["cookie+7"]=>
  string(0) ""
  ["$cookie_8"]=>
  string(0) ""
  ["cookie-9"]=>
  string(1) "1"
  ["-_&_%_$cookie_10"]=>
  string(2) "10"
}
=========================================================

Exepected result:
=========================================================
array(10) {
  ["cookie1"]=>
  string(6) "val1  "
  ["cookie2"]=>
  string(5) "val2 "
  ["cookie3"]=>
  string(6) "val 3."
  ["cookie_4"]=>
  string(10) " value 4 ;"
  ["cookie__5"]=>
  string(7) "  value"
  ["cookie_6"]=>
  string(3) "þæö"
  ["cookie_7"]=>
  string(0) ""
  ["$cookie_8"]=>
  string(0) ""
  ["cookie-9"]=>
  string(1) "1"
  ["-_&_%_$cookie_10"]=>
  string(2) "10"
}
==========================================================

are the fasles expected? I think these false is related with php72-CVE-2020-7070.patch, please check it.
Comment 15 jun wang 2020-10-15 06:35:25 UTC
checked the testcase from https://bugs.php.net/bug.php?id=79699, and it also failed:

--TEST--
Cookies Security Bug
--INI--
max_input_vars=1000
filter.default=unsafe_raw
--COOKIE--
__%48ost-evil=evil; __Host-evil=good; %66oo=baz;foo=bar
--FILE--
<?php
var_dump($_COOKIE);
?>
--EXPECT--
array(4) {
  ["__%48ost-evil=evil"]=>
  string(4) "evil"
  ["__Host-evil=good"]=>
  string(4) "good"
  ["%66oo"]=>
  string(3) "baz"
  ["foo"]=>
  string(3) "bar"
}


decompress php-7.2.5.tar.xz and get "run-tests.php", and then run the command after updating all packages:
"./run-tests.php -v -p /usr/bin/php7 ./CVE-2020-7070.phpt -s result"

# cat result
=====================================================================
FAILED TEST SUMMARY
---------------------------------------------------------------------
Cookies Security Bug [CVE-2020-7070.phpt]
=====================================================================


================================================================================
/root/jgwang/php-7.2.5/CVE-2020-7070.phpt
================================================================================
array(4) {
  ["__%48ost-evil"]=>                <--------
  string(4) "evil"
  ["__Host-evil"]=>                  <--------
  string(4) "good"
  ["%66oo"]=>
  string(3) "baz"
  ["foo"]=>
  string(3) "bar"
}
================================================================================
002+   ["__%48ost-evil"]=>^M
002-   ["__%48ost-evil=evil"]=>^M
004+   ["__Host-evil"]=>^M
004-   ["__Host-evil=good"]=>
================================================================================

this test failed, does it means that this bug is not fixed completely? or this result is expected?
Comment 17 Petr Gajdos 2020-10-15 12:44:25 UTC
(In reply to jun wang from comment #14)
[..]
> are the fasles expected? I think these false is related with
> php72-CVE-2020-7070.patch, please check it.

Could you please check comment 2 first?
Comment 18 Petr Gajdos 2020-10-15 13:04:38 UTC
(In reply to jun wang from comment #15)
> checked the testcase from https://bugs.php.net/bug.php?id=79699, and it also
> failed:

Check please the official testcase from the commit referenced in comment 1 instead.
Comment 19 jun wang 2020-10-16 00:17:00 UTC
(In reply to Petr Gajdos from comment #17)
> (In reply to jun wang from comment #14)
> [..]
> > are the fasles expected? I think these false is related with
> > php72-CVE-2020-7070.patch, please check it.
> 
> Could you please check comment 2 first?

yes, I think I need to update the testcase. Thank you
Comment 20 jun wang 2020-10-16 01:35:46 UTC
(In reply to Petr Gajdos from comment #18)
> Check please the official testcase from the commit referenced in comment 1
> instead.

everything works well after updating testcases, thank you for your help.
Comment 21 Petr Gajdos 2020-10-16 09:01:59 UTC
Thanks, reassigning back.
Comment 22 Swamp Workflow Management 2020-10-16 13:18:59 UTC
SUSE-SU-2020:2941-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1177351,1177352
CVE References: CVE-2020-7069,CVE-2020-7070
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 15-SP2 (src):    php7-7.4.6-3.11.1
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 (src):    php7-7.4.6-3.11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 23 Swamp Workflow Management 2020-10-16 13:20:06 UTC
SUSE-SU-2020:2943-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1173786,1177351,1177352
CVE References: CVE-2020-7069,CVE-2020-7070
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    php72-7.2.5-1.54.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php72-7.2.5-1.54.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 24 Swamp Workflow Management 2020-10-20 13:18:26 UTC
openSUSE-SU-2020:1703-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1177351,1177352
CVE References: CVE-2020-7069,CVE-2020-7070
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    php7-7.4.6-lp152.2.9.1, php7-test-7.4.6-lp152.2.9.1
Comment 25 Swamp Workflow Management 2020-10-22 13:29:24 UTC
SUSE-SU-2020:2997-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1173786,1177351,1177352
CVE References: CVE-2020-7069,CVE-2020-7070
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    php7-7.2.5-4.67.2
SUSE Linux Enterprise Server 15-LTSS (src):    php7-7.2.5-4.67.2
SUSE Linux Enterprise Module for Web Scripting 15-SP1 (src):    php7-7.2.5-4.67.2
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP1 (src):    php7-7.2.5-4.67.2
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    php7-7.2.5-4.67.2
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    php7-7.2.5-4.67.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 26 Alexandros Toptsoglou 2020-10-26 12:26:38 UTC
Done
Comment 27 Swamp Workflow Management 2020-10-29 23:16:37 UTC
openSUSE-SU-2020:1767-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1173786,1177351,1177352
CVE References: CVE-2020-7069,CVE-2020-7070
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    php7-7.2.5-lp151.6.36.7, php7-test-7.2.5-lp151.6.36.7