Bug 999684 - (CVE-2016-7417) VUL-0: CVE-2016-7417: php5, php7: Missing type check when unserializing SplArray
(CVE-2016-7417)
VUL-0: CVE-2016-7417: php5, php7: Missing type check when unserializing SplArray
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/172667/
maint:running:63038:important CVSSv2:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-09-19 14:17 UTC by Victor Pereira
Modified: 2019-06-16 14:37 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2016-09-19 14:17:30 UTC
rh#1377344

It was found that the return value is not checked and used on spl_array_get_dimension_ptr_ptr.

Vulnerable code:

static zval **spl_array_get_dimension_ptr_ptr(int check_inherited, zval *object, zval *offset, int type TSRMLS_DC) /* {{{ */
{
....
HashTable *ht = spl_array_get_hash_table(intern, 0 TSRMLS_CC); <--- here is no check ht with NULL

}

Upstream bug:

https://bugs.php.net/bug.php?id=73029

Upstream patch:

https://github.com/php/php-src/commit/ecb7f58a069be0dec4a6131b6351a761f808f22e?w=1

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1377344
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7417
http://seclists.org/oss-sec/2016/q3/518
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7417.html
http://www.cvedetails.com/cve/CVE-2016-7417/
Comment 1 Swamp Workflow Management 2016-09-19 22:02:16 UTC
bugbot adjusting priority
Comment 2 Victor Pereira 2016-09-20 14:33:40 UTC
Test script:
---------------
<?php
$a = 'C:11:"ArrayObject":19:0x:i:0;r:2;;m:a:0:{}}';
$m = unserialize($a);
$x = $m[2];
?>

Expected result:
----------------
No crash

Actual result:
--------------
$ gdb /data/php-src-PHP-5.6.26/sapi/cli/php
GNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.2) 7.7.1
(gdb) r se.php
Starting program: /data/php-src-PHP-5.6.26/sapi/cli/php se.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x0000000000ac08e3 in _zend_is_inconsistent (ht=0x0, file=0x10d3b78 "/data/php-src-PHP-5.6.26/Zend/zend_hash.c",
    line=938) at /data/php-src-PHP-5.6.26/Zend/zend_hash.c:60
60              if (ht->inconsistent==HT_OK) {
(gdb) bt
#0  0x0000000000ac08e3 in _zend_is_inconsistent (ht=0x0, file=0x10d3b78 "/data/php-src-PHP-5.6.26/Zend/zend_hash.c",
    line=938) at /data/php-src-PHP-5.6.26/Zend/zend_hash.c:60
#1  0x0000000000ac3625 in zend_hash_index_find (ht=0x0, h=2, pData=0x7fffffffaaf0)
    at /data/php-src-PHP-5.6.26/Zend/zend_hash.c:938
#2  0x000000000089621a in spl_array_get_dimension_ptr_ptr (check_inherited=1, object=0x7ffff7fc50b8,
    offset=0x7ffff7fc7940, type=0) at /data/php-src-PHP-5.6.26/ext/spl/spl_array.c:357
#3  0x000000000089664b in spl_array_read_dimension_ex (check_inherited=1, object=0x7ffff7fc50b8,
    offset=0x7ffff7fc7940, type=0) at /data/php-src-PHP-5.6.26/ext/spl/spl_array.c:406
#4  0x000000000089679b in spl_array_read_dimension (object=0x7ffff7fc50b8, offset=0x7ffff7fc7940, type=0)
    at /data/php-src-PHP-5.6.26/ext/spl/spl_array.c:434
#5  0x0000000000af40b6 in zend_fetch_dimension_address_read (result=0x7ffff7f901e0, container=0x7ffff7fc50b8,
    dim=0x7ffff7fc7940, dim_type=1, type=0) at /data/php-src-PHP-5.6.26/Zend/zend_execute.c:1364
#6  0x0000000000b4ae0a in ZEND_FETCH_DIM_R_SPEC_CV_CONST_HANDLER (execute_data=0x7ffff7f90260)
    at /data/php-src-PHP-5.6.26/Zend/zend_vm_execute.h:32849
#7  0x0000000000af5196 in execute_ex (execute_data=0x7ffff7f90260)
    at /data/php-src-PHP-5.6.26/Zend/zend_vm_execute.h:363
#8  0x0000000000af521f in zend_execute (op_array=0x7ffff7fc5fd8)
    at /data/php-src-PHP-5.6.26/Zend/zend_vm_execute.h:388
#9  0x0000000000ab0372 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /data/php-src-PHP-5.6.26/Zend/zend.c:1341
#10 0x0000000000a15aa2 in php_execute_script (primary_file=0x7fffffffd200)
    at /data/php-src-PHP-5.6.26/main/main.c:2613
#11 0x0000000000b64a18 in do_cli (argc=2, argv=0x1460a90) at /data/php-src-PHP-5.6.26/sapi/cli/php_cli.c:994
#12 0x0000000000b65d71 in main (argc=2, argv=0x1460a90) at /data/php-src-PHP-5.6.26/sapi/cli/php_cli.c:1378
Comment 3 Petr Gajdos 2016-09-21 14:19:09 UTC
Testcase segfaults for php7 and 12/php5, not for 11sp3/php53 (nor valgrind errors there); it might be because that the patch is partly there, see spl_array_unserialize_helper().

For 11/php5, there is no SPL_METHOD(Array, unserialize).
Comment 4 Bernhard Wiedemann 2016-09-23 10:01:20 UTC
This is an autogenerated message for OBS integration:
This bug (999684) was mentioned in
https://build.opensuse.org/request/show/429748 13.2 / php5
https://build.opensuse.org/request/show/429753 13.2 / php5
Comment 6 Petr Gajdos 2016-09-23 11:16:08 UTC
I believe all fixed.
Comment 9 Swamp Workflow Management 2016-10-04 14:10:58 UTC
openSUSE-SU-2016:2444-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 999679,999680,999682,999684,999685,999819,999820
CVE References: CVE-2016-7411,CVE-2016-7412,CVE-2016-7413,CVE-2016-7414,CVE-2016-7416,CVE-2016-7417,CVE-2016-7418
Sources used:
openSUSE 13.2 (src):    php5-5.6.1-78.1
Comment 10 Swamp Workflow Management 2016-10-05 16:14:15 UTC
SUSE-SU-2016:2459-1: An update that fixes 16 vulnerabilities is now available.

Category: security (important)
Bug References: 997206,997207,997208,997210,997211,997220,997225,997230,997257,999679,999680,999682,999684,999685,999819,999820
CVE References: CVE-2016-7124,CVE-2016-7125,CVE-2016-7126,CVE-2016-7127,CVE-2016-7128,CVE-2016-7129,CVE-2016-7130,CVE-2016-7131,CVE-2016-7132,CVE-2016-7411,CVE-2016-7412,CVE-2016-7413,CVE-2016-7414,CVE-2016-7416,CVE-2016-7417,CVE-2016-7418
Sources used:
SUSE OpenStack Cloud 5 (src):    php53-5.3.17-84.1
SUSE Manager Proxy 2.1 (src):    php53-5.3.17-84.1
SUSE Manager 2.1 (src):    php53-5.3.17-84.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    php53-5.3.17-84.1
SUSE Linux Enterprise Server 11-SP4 (src):    php53-5.3.17-84.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    php53-5.3.17-84.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    php53-5.3.17-84.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    php53-5.3.17-84.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    php53-5.3.17-84.1
Comment 11 Swamp Workflow Management 2016-10-05 19:13:07 UTC
SUSE-SU-2016:2460-1: An update that solves 29 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1001950,987580,988032,991422,991424,991426,991427,991428,991429,991430,991434,991437,995512,997206,997207,997208,997210,997211,997220,997225,997230,997247,997248,997257,999313,999679,999680,999684,999685,999819,999820
CVE References: CVE-2016-4473,CVE-2016-5399,CVE-2016-6128,CVE-2016-6161,CVE-2016-6207,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6292,CVE-2016-6295,CVE-2016-6296,CVE-2016-6297,CVE-2016-7124,CVE-2016-7125,CVE-2016-7126,CVE-2016-7127,CVE-2016-7128,CVE-2016-7129,CVE-2016-7130,CVE-2016-7131,CVE-2016-7132,CVE-2016-7133,CVE-2016-7134,CVE-2016-7412,CVE-2016-7413,CVE-2016-7414,CVE-2016-7416,CVE-2016-7417,CVE-2016-7418
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    php7-7.0.7-15.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php7-7.0.7-15.1
Comment 12 Swamp Workflow Management 2016-10-05 23:09:05 UTC
SUSE-SU-2016:2461-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 999679,999680,999682,999684,999685,999819,999820
CVE References: CVE-2016-7411,CVE-2016-7412,CVE-2016-7413,CVE-2016-7414,CVE-2016-7416,CVE-2016-7417,CVE-2016-7418
Sources used:
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    php53-5.3.17-58.1
SUSE Linux Enterprise Debuginfo 11-SP2 (src):    php53-5.3.17-58.1
Comment 13 Swamp Workflow Management 2016-10-07 19:13:24 UTC
SUSE-SU-2016:2477-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 999679,999680,999682,999684,999685,999819,999820
CVE References: CVE-2016-7411,CVE-2016-7412,CVE-2016-7413,CVE-2016-7414,CVE-2016-7416,CVE-2016-7417,CVE-2016-7418
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    php5-5.5.14-78.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php5-5.5.14-78.1
Comment 14 Swamp Workflow Management 2016-10-14 14:12:12 UTC
openSUSE-SU-2016:2540-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 999679,999680,999682,999684,999685,999819,999820
CVE References: CVE-2016-7411,CVE-2016-7412,CVE-2016-7413,CVE-2016-7414,CVE-2016-7416,CVE-2016-7417,CVE-2016-7418
Sources used:
openSUSE Leap 42.1 (src):    php5-5.5.14-62.1
Comment 15 Marcus Meissner 2016-10-31 08:43:24 UTC
released
Comment 16 Swamp Workflow Management 2016-11-01 15:07:56 UTC
SUSE-SU-2016:2477-2: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 999679,999680,999682,999684,999685,999819,999820
CVE References: CVE-2016-7411,CVE-2016-7412,CVE-2016-7413,CVE-2016-7414,CVE-2016-7416,CVE-2016-7417,CVE-2016-7418
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php5-5.5.14-78.1
Comment 17 Swamp Workflow Management 2016-11-01 15:26:07 UTC
SUSE-SU-2016:2460-2: An update that solves 29 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1001950,987580,988032,991422,991424,991426,991427,991428,991429,991430,991434,991437,995512,997206,997207,997208,997210,997211,997220,997225,997230,997247,997248,997257,999313,999679,999680,999684,999685,999819,999820
CVE References: CVE-2016-4473,CVE-2016-5399,CVE-2016-6128,CVE-2016-6161,CVE-2016-6207,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6292,CVE-2016-6295,CVE-2016-6296,CVE-2016-6297,CVE-2016-7124,CVE-2016-7125,CVE-2016-7126,CVE-2016-7127,CVE-2016-7128,CVE-2016-7129,CVE-2016-7130,CVE-2016-7131,CVE-2016-7132,CVE-2016-7133,CVE-2016-7134,CVE-2016-7412,CVE-2016-7413,CVE-2016-7414,CVE-2016-7416,CVE-2016-7417,CVE-2016-7418
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php7-7.0.7-15.1