Bug 1035111 - (CVE-2016-6294) VUL-1: CVE-2016-6294: php5,php53,php7: workaround for icu: locale_accept_from_http out-of-bounds access
(CVE-2016-6294)
VUL-1: CVE-2016-6294: php5,php53,php7: workaround for icu: locale_accept_from...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/171314/
CVSSv2:NVD:CVE-2016-4070:5.0:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-04-20 09:22 UTC by Marcus Meissner
Modified: 2019-05-01 13:44 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2017-04-20 09:22:26 UTC
This tracks the PHP hardening part of the problem.

+++ This bug was initially created as a clone of Bug #990636 +++

http://seclists.org/oss-sec/2016/q3/137

https://bugs.php.net/72533 (locale_accept_from_http out-of-bounds access). (Stas)
This bug is inside libicu

PHP remediation:
    http://git.php.net/?p=php-src.git;a=commit;h=aa82e99ed8003c01f1ef4f0940e56b85c5b032d4

The related upstream code can be found in the
http://source.icu-project.org/repos/icu/icu/trunk/source/common/uloc.cpp
file.

What we will do for now is assign one CVE ID for the "ICU for C/C++"
product and a separate CVE ID for PHP. In other words, the bug #72533
discoverer has indicated that it is a bug in that ICU product.
However, it is a bug at a different level within the PHP distribution,
because aa82e99ed8003c01f1ef4f0940e56b85c5b032d4 implies that PHP is
intended to operate safely even with an unpatched copy of the ICU
library.

Use CVE-2016-6293 for ICU for C/C++.
Use CVE-2016-6294 for PHP.

(If there happens to be further information indicating that
uloc_acceptLanguageFromHTTP was supposed to be using the tmp array as
originally written, then we can reject CVE-2016-6293.)



References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6293
http://seclists.org/oss-sec/2016/q3/137
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6293.html
http://www.cvedetails.com/cve/CVE-2016-6293/
Comment 1 Petr Gajdos 2017-04-24 12:42:42 UTC
QA:

for 12/php7, 12/php5, 11sp3/php53 (11/php5 and 10sp3/php5 have not intl extension):

$ cat test.php
<?php

$var1=str_repeat("a", 200);
locale_accept_from_http($var1);
?>
$

BEFORE

$ valgrind php test.php
[...]
==7944== ERROR SUMMARY: 3 errors from 3 contexts (suppressed: 0 from 0)
$

AFTER

$ valgrind php test.php
[...]
==29857== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
$
Comment 2 Petr Gajdos 2017-04-24 12:47:13 UTC
Packages submitted.
Comment 5 Swamp Workflow Management 2017-06-16 19:10:06 UTC
SUSE-SU-2017:1585-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1031246,1035111,1040883,1040889,1040891
CVE References: CVE-2016-6294,CVE-2017-7272,CVE-2017-9224,CVE-2017-9226,CVE-2017-9227
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    php53-5.3.17-108.1
SUSE Linux Enterprise Server 11-SP4 (src):    php53-5.3.17-108.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    php53-5.3.17-108.1
Comment 7 Swamp Workflow Management 2017-06-23 16:10:58 UTC
SUSE-SU-2017:1662-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1035111,1040883,1040889,1040891
CVE References: CVE-2016-6294,CVE-2017-9224,CVE-2017-9226,CVE-2017-9227
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    php5-5.5.14-108.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php5-5.5.14-108.1
Comment 8 Swamp Workflow Management 2017-06-29 16:11:52 UTC
SUSE-SU-2017:1717-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1032155,1035111,1040883,1040889,1040891
CVE References: CVE-2016-6294,CVE-2017-6441,CVE-2017-9224,CVE-2017-9226,CVE-2017-9227
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    php7-7.0.7-49.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php7-7.0.7-49.1
Comment 9 Swamp Workflow Management 2017-07-03 10:10:16 UTC
openSUSE-SU-2017:1757-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1035111,1040883,1040889,1040891
CVE References: CVE-2016-6294,CVE-2017-9224,CVE-2017-9226,CVE-2017-9227
Sources used:
openSUSE Leap 42.2 (src):    php5-5.5.14-77.6.1
Comment 10 Swamp Workflow Management 2017-07-06 22:10:16 UTC
openSUSE-SU-2017:1800-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1032155,1035111,1040883,1040889,1040891
CVE References: CVE-2016-6294,CVE-2017-6441,CVE-2017-9224,CVE-2017-9226,CVE-2017-9227
Sources used:
openSUSE Leap 42.2 (src):    php7-7.0.7-14.6.1
Comment 11 Marcus Meissner 2017-10-26 05:55:24 UTC
released