Bug 991430 – VUL-0: php5,php7,php53: CVE-2016-5399: php, bzip2: Improper error handling in bzread()

Bug 991430 - (CVE-2016-5399) VUL-0: php5,php7,php53: CVE-2016-5399: php, bzip2: Improper error handling in bzread()

(CVE-2016-5399)
Summary:	VUL-0: php5,php7,php53: CVE-2016-5399: php, bzip2: Improper error handling in...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Major
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/171122/
Whiteboard:	CVSSv2:SUSE:CVE-2016-5399:6.8:(AV:N/A...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2016-08-01 08:48 UTC by Sebastian Krahmer
Modified:	2016-11-01 15:23 UTC (History)
CC List:	5 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
CVE-2016-5399.bz2 (351 bytes, application/octet-stream) 2016-08-23 06:48 UTC, Marcus Meissner	Details
CVE-2016-5399.php (258 bytes, text/plain) 2016-08-23 06:49 UTC, Marcus Meissner	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sebastian Krahmer 2016-08-01 08:48:22 UTC

Quoting from RH BZ:

Wrong error handling in bzread() function that possibly leads to code execution was reported.


rh#1358395

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1358395
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5399
http://seclists.org/oss-sec/2016/q3/121
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5399.html
http://www.debian.org/security/2016/dsa-3631
https://github.com/dyntopia/exploits/tree/master/CVE-2016-5399]
https://bugs.php.net/bug.php?id=72613]

Comment 1 Petr Gajdos 2016-08-01 14:52:15 UTC

http://git.php.net/?p=php-src.git;a=commitdiff;h=f3feddb5b45b5abd93abb1a95044b7e099d51c84
http://git.php.net/?p=php-src.git;a=commitdiff;h=5faa15c4ce9d68a286a9ffe10ecbb897ebe95601

Comment 2 Petr Gajdos 2016-08-03 12:13:33 UTC

BEFORE I get a segfault for the testcase in commits from comment 1 for 12/php7 and 11sp3/php53.

AFTER I get no segfault.

One of the commits is for php7, second is for php5.

Comment 3 Petr Gajdos 2016-08-04 08:54:26 UTC

I believe all affected code streams fixed.

Comment 4 Bernhard Wiedemann 2016-08-04 10:02:29 UTC

This is an autogenerated message for OBS integration:
This bug (991430) was mentioned in
https://build.opensuse.org/request/show/416889 13.2 / php5

Comment 9 Sebastian Krahmer 2016-08-10 10:01:53 UTC

CVSSv2:SUSE:CVE-2016-5399:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P)

Comment 10 Swamp Workflow Management 2016-08-15 13:09:59 UTC

openSUSE-SU-2016:2071-1: An update that fixes 12 vulnerabilities is now available.

Category: security (moderate)
Bug References: 987580,988032,991422,991424,991426,991427,991428,991429,991430,991433,991434,991437
CVE References: CVE-2016-5399,CVE-2016-6128,CVE-2016-6161,CVE-2016-6207,CVE-2016-6288,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6292,CVE-2016-6295,CVE-2016-6296,CVE-2016-6297
Sources used:
openSUSE 13.2 (src):    php5-5.6.1-72.1

Comment 11 Swamp Workflow Management 2016-08-16 11:11:37 UTC

SUSE-SU-2016:2080-1: An update that fixes 12 vulnerabilities is now available.

Category: security (important)
Bug References: 986004,986244,986386,986388,986393,991426,991427,991428,991429,991430,991433,991437
CVE References: CVE-2015-8935,CVE-2016-5399,CVE-2016-5766,CVE-2016-5767,CVE-2016-5769,CVE-2016-5772,CVE-2016-6288,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6296,CVE-2016-6297
Sources used:
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    php5-5.2.14-0.7.30.89.1
SUSE Linux Enterprise Debuginfo 11-SP2 (src):    php5-5.2.14-0.7.30.89.1

Comment 12 Marcus Meissner 2016-08-23 06:48:56 UTC

Created attachment 689048 [details]
CVE-2016-5399.bz2

QA REPRODUCER: 

(data part, script is in next comment)

Comment 13 Marcus Meissner 2016-08-23 06:49:25 UTC

Created attachment 689049 [details]
CVE-2016-5399.php

QA REPRODUCER:

php CVE-2016-5399.php

good: no output
bad: ERROR output

Comment 14 Swamp Workflow Management 2016-09-01 16:10:33 UTC

SUSE-SU-2016:2210-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 987530,991426,991427,991428,991429,991430,991433,991437
CVE References: CVE-2014-3587,CVE-2016-3587,CVE-2016-5399,CVE-2016-6288,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6296,CVE-2016-6297
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    php53-5.3.17-79.2
SUSE Linux Enterprise Server 11-SP4 (src):    php53-5.3.17-79.2
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    php53-5.3.17-79.2

Comment 16 Swamp Workflow Management 2016-09-16 19:10:18 UTC

SUSE-SU-2016:2328-1: An update that fixes 18 vulnerabilities is now available.

Category: security (important)
Bug References: 987530,991426,991427,991428,991429,991430,991433,991437,997206,997207,997208,997210,997211,997220,997225,997230,997257
CVE References: CVE-2014-3587,CVE-2016-3587,CVE-2016-5399,CVE-2016-6288,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6296,CVE-2016-6297,CVE-2016-7124,CVE-2016-7125,CVE-2016-7126,CVE-2016-7127,CVE-2016-7128,CVE-2016-7129,CVE-2016-7130,CVE-2016-7131,CVE-2016-7132
Sources used:
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    php53-5.3.17-55.1
SUSE Linux Enterprise Debuginfo 11-SP2 (src):    php53-5.3.17-55.1

Comment 17 Swamp Workflow Management 2016-09-28 13:11:27 UTC

SUSE-SU-2016:2408-1: An update that fixes 24 vulnerabilities is now available.

Category: security (important)
Bug References: 987530,987580,988032,991422,991424,991426,991427,991428,991429,991430,991433,991434,991437,997206,997207,997208,997210,997211,997220,997225,997230,997248,997257
CVE References: CVE-2014-3587,CVE-2016-3587,CVE-2016-5399,CVE-2016-6128,CVE-2016-6161,CVE-2016-6207,CVE-2016-6288,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6292,CVE-2016-6295,CVE-2016-6296,CVE-2016-6297,CVE-2016-7124,CVE-2016-7125,CVE-2016-7126,CVE-2016-7127,CVE-2016-7128,CVE-2016-7129,CVE-2016-7130,CVE-2016-7131,CVE-2016-7132,CVE-2016-7134
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    php5-5.5.14-73.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php5-5.5.14-73.1

Comment 18 Swamp Workflow Management 2016-10-04 15:12:46 UTC

openSUSE-SU-2016:2451-1: An update that fixes 24 vulnerabilities is now available.

Category: security (important)
Bug References: 987530,987580,988032,991422,991424,991426,991427,991428,991429,991430,991433,991434,991437,997206,997207,997208,997210,997211,997220,997225,997230,997248,997257
CVE References: CVE-2014-3587,CVE-2016-3587,CVE-2016-5399,CVE-2016-6128,CVE-2016-6161,CVE-2016-6207,CVE-2016-6288,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6292,CVE-2016-6295,CVE-2016-6296,CVE-2016-6297,CVE-2016-7124,CVE-2016-7125,CVE-2016-7126,CVE-2016-7127,CVE-2016-7128,CVE-2016-7129,CVE-2016-7130,CVE-2016-7131,CVE-2016-7132,CVE-2016-7134
Sources used:
openSUSE Leap 42.1 (src):    php5-5.5.14-59.1

Comment 19 Swamp Workflow Management 2016-10-05 19:10:23 UTC

SUSE-SU-2016:2460-1: An update that solves 29 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1001950,987580,988032,991422,991424,991426,991427,991428,991429,991430,991434,991437,995512,997206,997207,997208,997210,997211,997220,997225,997230,997247,997248,997257,999313,999679,999680,999684,999685,999819,999820
CVE References: CVE-2016-4473,CVE-2016-5399,CVE-2016-6128,CVE-2016-6161,CVE-2016-6207,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6292,CVE-2016-6295,CVE-2016-6296,CVE-2016-6297,CVE-2016-7124,CVE-2016-7125,CVE-2016-7126,CVE-2016-7127,CVE-2016-7128,CVE-2016-7129,CVE-2016-7130,CVE-2016-7131,CVE-2016-7132,CVE-2016-7133,CVE-2016-7134,CVE-2016-7412,CVE-2016-7413,CVE-2016-7414,CVE-2016-7416,CVE-2016-7417,CVE-2016-7418
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    php7-7.0.7-15.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php7-7.0.7-15.1

Comment 21 Swamp Workflow Management 2016-11-01 15:23:12 UTC

SUSE-SU-2016:2460-2: An update that solves 29 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1001950,987580,988032,991422,991424,991426,991427,991428,991429,991430,991434,991437,995512,997206,997207,997208,997210,997211,997220,997225,997230,997247,997248,997257,999313,999679,999680,999684,999685,999819,999820
CVE References: CVE-2016-4473,CVE-2016-5399,CVE-2016-6128,CVE-2016-6161,CVE-2016-6207,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6292,CVE-2016-6295,CVE-2016-6296,CVE-2016-6297,CVE-2016-7124,CVE-2016-7125,CVE-2016-7126,CVE-2016-7127,CVE-2016-7128,CVE-2016-7129,CVE-2016-7130,CVE-2016-7131,CVE-2016-7132,CVE-2016-7133,CVE-2016-7134,CVE-2016-7412,CVE-2016-7413,CVE-2016-7414,CVE-2016-7416,CVE-2016-7417,CVE-2016-7418
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php7-7.0.7-15.1