Bug 986391 - (CVE-2016-5771) VUL-0: CVE-2016-5771: php5,php53: Use After Free Vulnerability in PHP's GC algorithm and unserialize
(CVE-2016-5771)
VUL-0: CVE-2016-5771: php5,php53: Use After Free Vulnerability in PHP's GC al...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/170461/
CVSSv2:SUSE:CVE-2016-5771:5.1:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-06-24 10:28 UTC by Marcus Meissner
Modified: 2022-08-03 13:35 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
xx.php (697 bytes, text/plain)
2016-06-24 10:30 UTC, Marcus Meissner
Details
fix for php 5.3 (4.03 KB, patch)
2018-02-06 10:46 UTC, Matthias Gerstner
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2016-06-24 10:28:06 UTC
http://seclists.org/oss-sec/2016/q2/589

    SPL:
        Fixed bug #72433 (Use After Free Vulnerability in PHP's GC algorithm and
        unserialize). (Dmitry)

    https://bugs.php.net/bug.php?id=72433
    http://git.php.net/?p=php-src.git;a=commitdiff;h=3f627e580acfdaf0595ae3b115b8bec677f203ee


Use CVE-2016-5771. Note that, unlike bug #72434, this does not affect PHP 7.x.
Comment 1 Marcus Meissner 2016-06-24 10:30:11 UTC
Created attachment 682017 [details]
xx.php

QA REPRODUCER:

php xx.php

should print:

array(3) {
  [0]=>
  *RECURSION*
  [1]=>
  *RECURSION*
  [2]=>
  object(ArrayObject)#%d (1) {
    ["storage":"ArrayObject":private]=>
    *RECURSION*
  }
}
Comment 2 Marcus Meissner 2016-06-24 10:30:35 UTC
on php 5.6 it prints
string(13) "filler_zval_2"
Comment 3 Marcus Meissner 2016-06-24 10:30:52 UTC
on php53 it currently prints

php xx.php
PHP Notice:  unserialize(): Error at offset 48 of 69 bytes in /suse/meissner/xx.php on line 8
PHP Fatal error:  Uncaught exception 'UnexpectedValueException' with message 'Error at offset 6 of 19 bytes' in /suse/meissner/xx.php:8
Stack trace:
#0 /suse/meissner/xx.php(8): unserialize('a:3:{i:0;r:1;i:...')
#1 {main}
  thrown in /suse/meissner/xx.php on line 8
Comment 4 Swamp Workflow Management 2016-06-24 22:01:06 UTC
bugbot adjusting priority
Comment 5 Petr Gajdos 2016-06-27 11:51:44 UTC
Already in 12sp2/php7, unaffected.

(In reply to Marcus Meissner from comment #2)
> on php 5.6 it prints
> string(13) "filler_zval_2"

The same I get for 12/php5.
Fixed in 13.2/php5 and 12/php5.
Comment 6 Petr Gajdos 2016-06-29 08:04:34 UTC
Will submit now without the fix for 5.3. Please reassign back to me as soon as the release happens, if you still want to fix this for 5.3.

(see also bug 986247 comment 5 and bug 986247 comment 6)
Comment 7 Petr Gajdos 2016-06-29 08:39:09 UTC
Packages submitted.
Comment 9 Bernhard Wiedemann 2016-06-29 10:00:54 UTC
This is an autogenerated message for OBS integration:
This bug (986391) was mentioned in
https://build.opensuse.org/request/show/405425 13.2 / php5
Comment 11 Bernhard Wiedemann 2016-06-29 14:03:47 UTC
This is an autogenerated message for OBS integration:
This bug (986391) was mentioned in
https://build.opensuse.org/request/show/405458 13.2 / php5
Comment 12 Swamp Workflow Management 2016-07-07 16:09:26 UTC
openSUSE-SU-2016:1761-1: An update that fixes 9 vulnerabilities is now available.

Category: security (important)
Bug References: 986004,986244,986246,986247,986386,986388,986391,986392,986393
CVE References: CVE-2015-8935,CVE-2016-5766,CVE-2016-5767,CVE-2016-5768,CVE-2016-5769,CVE-2016-5770,CVE-2016-5771,CVE-2016-5772,CVE-2016-5773
Sources used:
openSUSE 13.2 (src):    php5-5.6.1-69.1
Comment 15 Swamp Workflow Management 2016-07-20 22:10:25 UTC
SUSE-SU-2016:1842-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 986004,986244,986246,986386,986388,986391,986392,986393,988486
CVE References: CVE-2015-8935,CVE-2016-5385,CVE-2016-5766,CVE-2016-5767,CVE-2016-5768,CVE-2016-5769,CVE-2016-5770,CVE-2016-5771,CVE-2016-5772
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    php5-5.5.14-68.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php5-5.5.14-68.1
Comment 16 Swamp Workflow Management 2016-08-01 03:10:12 UTC
openSUSE-SU-2016:1922-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 986004,986244,986246,986386,986388,986391,986392,986393,988486
CVE References: CVE-2015-8935,CVE-2016-5385,CVE-2016-5766,CVE-2016-5767,CVE-2016-5768,CVE-2016-5769,CVE-2016-5770,CVE-2016-5771,CVE-2016-5772
Sources used:
openSUSE Leap 42.1 (src):    php5-5.5.14-56.1
Comment 17 Marcus Meissner 2016-08-01 11:20:30 UTC
unfixed for sle11
Comment 18 Swamp Workflow Management 2017-01-30 13:28:46 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2017-02-13.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63367
Comment 21 Matthias Gerstner 2018-02-06 10:46:47 UTC
Created attachment 758973 [details]
fix for php 5.3
Comment 22 Matthias Gerstner 2018-02-06 10:53:28 UTC
I've provided a patch for php-5.3 for this issue in attachment 758973 [details]. It depends on the patch found in attachment 758972 [details] in bug 986247.

The patch backports the get_gc handler function in an ABI compatible way. Since the spl_array contains sub-objects, I had to include a part of the additional garbage collector logic found in php-5.4.

It's not completely clear whether php-5.3 is affected by this spl_array issue. The PoC does not work as such and I'm not clear why. The basic vulnerability is the same as in bug 986247, however, which affects php-5.3. Therefore it is better we fix it for php-5.3 as well.
Comment 23 Petr Gajdos 2018-02-06 19:14:35 UTC
Package submitted.
Thanks Matthias.
Comment 27 Swamp Workflow Management 2018-03-26 13:09:15 UTC
SUSE-SU-2018:0806-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 1076220,1076391,1080234,1083639,986247,986391
CVE References: CVE-2016-10712,CVE-2016-5771,CVE-2016-5773,CVE-2018-5711,CVE-2018-5712,CVE-2018-7584
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    php53-5.3.17-112.20.1
SUSE Linux Enterprise Server 11-SP4 (src):    php53-5.3.17-112.20.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    php53-5.3.17-112.20.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    php53-5.3.17-112.20.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    php53-5.3.17-112.20.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    php53-5.3.17-112.20.1
Comment 28 Marcus Meissner 2019-07-04 05:40:30 UTC
done