Bugzilla – Bug 971912
VUL-0: CVE-2016-3142: php5: Out-of-bounds read in phar_parse_zipfile()
Last modified: 2016-08-16 08:25:47 UTC
rh#1315312 An out-of-bounds read vulnerability was found in PHAR's phar_parse_zipfile() function. Vulnerable code: ext/phar/zip.c: int phar_parse_zipfile(php_stream *fp, char *fname, int fname_len, char *alias, int alias_len, phar_archive_data** pphar, char **error) /* {{{ */ { phar_zip_dir_end locator; char buf[sizeof(locator) + 65536]; ... while ((p=(char *) memchr(p + 1, 'P', (size_t) (size - (p + 1 - buf)))) != NULL) { if (!memcmp(p + 1, "K\5\6", 3)) { memcpy((void *)&locator, (void *) p, sizeof(locator)); if (PHAR_GET_16(locator.centraldisk) != 0 || PHAR_GET_16(locator.disknumber) != 0) { /* split archives not handled */ php_stream_close(fp); if (error) { spprintf(error, 4096, "phar error: split archives spanning multiple zips cannot be processed in zip-based phar \"%s\"", fname); } return FAILURE; } ... The above code block tries to determine where in buf is "PK\x05\x06", which is actually "End of central directory record" structure of zip file. Then it copies 0x16 bytes from there to `phar_zip_dir_end locator`. If "PK\x05\x06" signature is located at end of `buf` variable, it will read out-of-bound `buf` variable and copy to `locator`. Upstream bug: https://bugs.php.net/bug.php?id=71498 Upstream patch: https://git.php.net/?p=php-src.git;a=commit;h=a6fdc5bb27b20d889de0cd29318b3968aabb57bd References: https://bugzilla.redhat.com/show_bug.cgi?id=1315312 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3142 http://seclists.org/oss-sec/2016/q1/626 http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-3142.html
Created attachment 670027 [details] testcase zip Test based on upstream testcase. Tested with 13.2 and 11sp3. Installed packages: php5, php5-phar $ cat test.php <?php try { $p = new PharData(__DIR__."/bug71498.zip"); } catch(UnexpectedValueException $e) { echo $e->getMessage(); } ?> $ BEFORE $ php test.php bug71498.zip phar error: split archives spanning multiple zips cannot be processed in zip-based phar "/971912/bug71498.zip" $ AFTER $ php test.php bug71498.zip phar error: end of central directory not found in zip-based phar "/971912/bug71498.zip" $
This is an autogenerated message for OBS integration: This bug (971912) was mentioned in https://build.opensuse.org/request/show/381468 13.2 / php5
Submitted.
This is an autogenerated message for OBS integration: This bug (971912) was mentioned in https://build.opensuse.org/request/show/382845 13.2 / php5
This is an autogenerated message for OBS integration: This bug (971912) was mentioned in https://build.opensuse.org/request/show/384375 13.2 / php5
This is an autogenerated message for OBS integration: This bug (971912) was mentioned in https://build.opensuse.org/request/show/385728 13.2 / php5
This is an autogenerated message for OBS integration: This bug (971912) was mentioned in https://build.opensuse.org/request/show/389948 13.2 / php5
SUSE-SU-2016:1145-1: An update that fixes 8 vulnerabilities is now available. Category: security (important) Bug References: 949961,968284,969821,971611,971612,971912,973351,973792 CVE References: CVE-2014-9767,CVE-2015-7803,CVE-2015-8835,CVE-2015-8838,CVE-2016-2554,CVE-2016-3141,CVE-2016-3142,CVE-2016-3185 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): php53-5.3.17-59.1 SUSE Linux Enterprise Server 11-SP4 (src): php53-5.3.17-59.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): php53-5.3.17-59.1
releasing SLE 12
SUSE-SU-2016:1166-1: An update that fixes 7 vulnerabilities is now available. Category: security (important) Bug References: 968284,969821,971611,971612,971912,973351,973792 CVE References: CVE-2014-9767,CVE-2015-8835,CVE-2015-8838,CVE-2016-2554,CVE-2016-3141,CVE-2016-3142,CVE-2016-3185 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): php5-5.5.14-53.1 SUSE Linux Enterprise Software Development Kit 12 (src): php5-5.5.14-53.1 SUSE Linux Enterprise Module for Web Scripting 12 (src): php5-5.5.14-53.1
openSUSE-SU-2016:1167-1: An update that solves 6 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 969821,971611,971612,971912,973351,973792,974305 CVE References: CVE-2014-9767,CVE-2015-8835,CVE-2015-8838,CVE-2016-3141,CVE-2016-3142,CVE-2016-3185 Sources used: openSUSE 13.2 (src): php5-5.6.1-53.3
Releasing for openSUSE Leap 42.1, all done.
openSUSE-SU-2016:1173-1: An update that fixes 7 vulnerabilities is now available. Category: security (important) Bug References: 968284,969821,971611,971612,971912,973351,973792 CVE References: CVE-2014-9767,CVE-2015-8835,CVE-2015-8838,CVE-2016-2554,CVE-2016-3141,CVE-2016-3142,CVE-2016-3185 Sources used: openSUSE Leap 42.1 (src): php5-5.5.14-44.1
As the Service Account Manager for Cray, the customer requesting the fix, I need to escalate this issue. The public web site says that security issues are fixed with for 10 years (https://www.suse.com/support/policy.html). Who is in charge that I need to speak to?
SUSE-SU-2016:1581-1: An update that fixes 31 vulnerabilities is now available. Category: security (important) Bug References: 949961,968284,969821,971611,971612,971912,973351,973792,976996,976997,977003,977005,977991,977994,978827,978828,978829,978830,980366,980373,980375,981050,982010,982011,982012,982013,982162 CVE References: CVE-2014-9767,CVE-2015-4116,CVE-2015-7803,CVE-2015-8835,CVE-2015-8838,CVE-2015-8866,CVE-2015-8867,CVE-2015-8873,CVE-2015-8874,CVE-2015-8879,CVE-2016-2554,CVE-2016-3141,CVE-2016-3142,CVE-2016-3185,CVE-2016-4070,CVE-2016-4073,CVE-2016-4342,CVE-2016-4346,CVE-2016-4537,CVE-2016-4538,CVE-2016-4539,CVE-2016-4540,CVE-2016-4541,CVE-2016-4542,CVE-2016-4543,CVE-2016-4544,CVE-2016-5093,CVE-2016-5094,CVE-2016-5095,CVE-2016-5096,CVE-2016-5114 Sources used: SUSE OpenStack Cloud 5 (src): php53-5.3.17-71.1 SUSE Manager Proxy 2.1 (src): php53-5.3.17-71.1 SUSE Manager 2.1 (src): php53-5.3.17-71.1 SUSE Linux Enterprise Software Development Kit 11-SP4 (src): php53-5.3.17-71.1 SUSE Linux Enterprise Server 11-SP4 (src): php53-5.3.17-71.1 SUSE Linux Enterprise Server 11-SP3-LTSS (src): php53-5.3.17-71.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): php53-5.3.17-71.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): php53-5.3.17-71.1
SUSE-SU-2016:1638-1: An update that fixes 85 vulnerabilities is now available. Category: security (important) Bug References: 884986,884987,884989,884990,884991,884992,885961,886059,886060,893849,893853,902357,902360,902368,910659,914690,917150,918768,919080,921950,922451,922452,923945,924972,925109,928506,928511,931421,931769,931772,931776,933227,935074,935224,935226,935227,935229,935232,935234,935274,935275,938719,938721,942291,942296,945412,945428,949961,968284,969821,971611,971612,971912,973351,973792,976996,976997,977003,977005,977991,977994,978827,978828,978829,978830,980366,980373,980375,981050,982010,982011,982012,982013,982162 CVE References: CVE-2004-1019,CVE-2006-7243,CVE-2014-0207,CVE-2014-3478,CVE-2014-3479,CVE-2014-3480,CVE-2014-3487,CVE-2014-3515,CVE-2014-3597,CVE-2014-3668,CVE-2014-3669,CVE-2014-3670,CVE-2014-4049,CVE-2014-4670,CVE-2014-4698,CVE-2014-4721,CVE-2014-5459,CVE-2014-8142,CVE-2014-9652,CVE-2014-9705,CVE-2014-9709,CVE-2014-9767,CVE-2015-0231,CVE-2015-0232,CVE-2015-0273,CVE-2015-1352,CVE-2015-2301,CVE-2015-2305,CVE-2015-2783,CVE-2015-2787,CVE-2015-3152,CVE-2015-3329,CVE-2015-3411,CVE-2015-3412,CVE-2015-4021,CVE-2015-4022,CVE-2015-4024,CVE-2015-4026,CVE-2015-4116,CVE-2015-4148,CVE-2015-4598,CVE-2015-4599,CVE-2015-4600,CVE-2015-4601,CVE-2015-4602,CVE-2015-4603,CVE-2015-4643,CVE-2015-4644,CVE-2015-5161,CVE-2015-5589,CVE-2015-5590,CVE-2015-6831,CVE-2015-6833,CVE-2015-6836,CVE-2015-6837,CVE-2015-6838,CVE-2015-7803,CVE-2015-8835,CVE-2015-8838,CVE-2015-8866,CVE-2015-8867,CVE-2015-8873,CVE-2015-8874,CVE-2015-8879,CVE-2016-2554,CVE-2016-3141,CVE-2016-3142,CVE-2016-3185,CVE-2016-4070,CVE-2016-4073,CVE-2016-4342,CVE-2016-4346,CVE-2016-4537,CVE-2016-4538,CVE-2016-4539,CVE-2016-4540,CVE-2016-4541,CVE-2016-4542,CVE-2016-4543,CVE-2016-4544,CVE-2016-5093,CVE-2016-5094,CVE-2016-5095,CVE-2016-5096,CVE-2016-5114 Sources used: SUSE Linux Enterprise Server 11-SP2-LTSS (src): php53-5.3.17-47.1