Bugzilla – Bug 986388
VUL-0: CVE-2016-5769: php5,php53: mcrypt: Heap Overflow due to integer overflows
Last modified: 2016-10-24 08:21:05 UTC
http://seclists.org/oss-sec/2016/q2/589 - mcrypt: Fixed bug #72455 (Heap Overflow due to integer overflows). (Stas) https://bugs.php.net/bug.php?id=72455 http://git.php.net/?p=php-src.git;a=commitdiff;h=6c5211a0cef0cc2854eaa387e0eb036e012904d0 Use CVE-2016-5769 for both the mcrypt_generic issue and the mdecrypt_generic issue.
Created attachment 682016 [details] xx.php QA REPRODUCER: php xx.php segmentation fault (note: uses several GB of memory)
bugbot adjusting priority
Reproduced in 12sp2/php7 and 11/php5.
I tend to agree with reporter in the php bug (see the comment [2016-06-27 06:39 UTC]). I would propose following instead: if ((int)data_len - 1 <= 0) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Integer overflow in data size"); RETURN_FALSE; } AFTER: $ php test.php PHP Warning: mdecrypt_generic(): Integer overflow in data size in /986388/test.php on line 16 $ (bails out immediately) What do you think?
good, but also i would check for (data_len >= INT_MAX-block_size) because the code is rounding to the next block_size, and could still overflow in that calculation. also the else branch has a emalloc( data_size+1 ) usage, it also needs a check.
(In reply to Marcus Meissner from comment #5) > good, but also i would check for > > (data_len >= INT_MAX-block_size) > > because the code is rounding to the next block_size, and could still > overflow in that calculation. Ok, make sense. > also the else branch has a emalloc( data_size+1 ) usage, it also needs a > check. Yeah. But that is out of scope of this CVE/bug. Unfortunately, there are many more to be checked, for sure. For example, there's another 'It's a block algorithm' block down in php_mcrypt_do_crypt(). Is it affected or not?
Packages submitted.
This is an autogenerated message for OBS integration: This bug (986388) was mentioned in https://build.opensuse.org/request/show/405425 13.2 / php5
This is an autogenerated message for OBS integration: This bug (986388) was mentioned in https://build.opensuse.org/request/show/405458 13.2 / php5
openSUSE-SU-2016:1761-1: An update that fixes 9 vulnerabilities is now available. Category: security (important) Bug References: 986004,986244,986246,986247,986386,986388,986391,986392,986393 CVE References: CVE-2015-8935,CVE-2016-5766,CVE-2016-5767,CVE-2016-5768,CVE-2016-5769,CVE-2016-5770,CVE-2016-5771,CVE-2016-5772,CVE-2016-5773 Sources used: openSUSE 13.2 (src): php5-5.6.1-69.1
SUSE-SU-2016:1842-1: An update that fixes 9 vulnerabilities is now available. Category: security (moderate) Bug References: 986004,986244,986246,986386,986388,986391,986392,986393,988486 CVE References: CVE-2015-8935,CVE-2016-5385,CVE-2016-5766,CVE-2016-5767,CVE-2016-5768,CVE-2016-5769,CVE-2016-5770,CVE-2016-5771,CVE-2016-5772 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): php5-5.5.14-68.1 SUSE Linux Enterprise Module for Web Scripting 12 (src): php5-5.5.14-68.1
openSUSE-SU-2016:1922-1: An update that fixes 9 vulnerabilities is now available. Category: security (moderate) Bug References: 986004,986244,986246,986386,986388,986391,986392,986393,988486 CVE References: CVE-2015-8935,CVE-2016-5385,CVE-2016-5766,CVE-2016-5767,CVE-2016-5768,CVE-2016-5769,CVE-2016-5770,CVE-2016-5771,CVE-2016-5772 Sources used: openSUSE Leap 42.1 (src): php5-5.5.14-56.1
SUSE-SU-2016:2013-1: An update that fixes 5 vulnerabilities is now available. Category: security (important) Bug References: 986004,986244,986386,986388,986393 CVE References: CVE-2015-8935,CVE-2016-5766,CVE-2016-5767,CVE-2016-5769,CVE-2016-5772 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): php53-5.3.17-74.1 SUSE Linux Enterprise Server 11-SP4 (src): php53-5.3.17-74.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): php53-5.3.17-74.1
CVSSv2:SUSE:CVE-2016-5769:5.1:(AV:N/AC:H/Au:N/C:P/I:P/A:P)
SUSE-SU-2016:2080-1: An update that fixes 12 vulnerabilities is now available. Category: security (important) Bug References: 986004,986244,986386,986388,986393,991426,991427,991428,991429,991430,991433,991437 CVE References: CVE-2015-8935,CVE-2016-5399,CVE-2016-5766,CVE-2016-5767,CVE-2016-5769,CVE-2016-5772,CVE-2016-6288,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6296,CVE-2016-6297 Sources used: SUSE Linux Enterprise Server 11-SP2-LTSS (src): php5-5.2.14-0.7.30.89.1 SUSE Linux Enterprise Debuginfo 11-SP2 (src): php5-5.2.14-0.7.30.89.1