Bug 1019570 - (CVE-2017-5340) VUL-1: CVE-2017-5340: php7: use of uninitialized memory in unserialize() related to large array allocations
(CVE-2017-5340)
VUL-1: CVE-2017-5340: php7: use of uninitialized memory in unserialize() rela...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P5 - None : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/178439/
CVSSv2:SUSE:CVE-2017-5340:7.5:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-01-12 12:09 UTC by Andreas Stieger
Modified: 2022-08-03 13:31 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2017-01-12 12:09:44 UTC
https://bugs.php.net/bug.php?id=73832

Zend/zend_hash.c in PHP before 7.0.15 and 7.1.x before 7.1.1 mishandles certain
cases that require large array allocations, which allows remote attackers to
execute arbitrary code or cause a denial of service (integer overflow,
uninitialized memory access, and use of arbitrary destructor function pointers)
via crafted serialized data.

https://github.com/php/php-src/commit/4cc0286f2f3780abc6084bcdae5dce595daa3c12

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5340
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5340.html
http://www.cvedetails.com/cve/CVE-2017-5340/
https://github.com/php/php-src/commit/4cc0286f2f3780abc6084bcdae5dce595daa3c12
https://bugs.php.net/bug.php?id=73832
Comment 1 Andreas Stieger 2017-01-12 12:36:29 UTC
php7 only.

This relies on untrusted input being passed to the PHP function unserialize. This is widely known and documented to be insecure. Treating as VUL-1 for this type of vulnerability.
Comment 2 Petr Gajdos 2017-01-16 12:16:50 UTC
(In reply to Andreas Stieger from comment #1)
> php7 only.

Thanks for figuring out.
Comment 3 Petr Gajdos 2017-01-16 16:06:34 UTC
Packages submitted.
Comment 8 Swamp Workflow Management 2017-02-22 14:09:12 UTC
SUSE-SU-2017:0534-1: An update that fixes 13 vulnerabilities is now available.

Category: security (important)
Bug References: 1008026,1019547,1019550,1019568,1019570,1022219,1022255,1022257,1022260,1022262,1022263,1022264,1022265
CVE References: CVE-2016-10158,CVE-2016-10159,CVE-2016-10160,CVE-2016-10161,CVE-2016-10162,CVE-2016-10166,CVE-2016-10167,CVE-2016-10168,CVE-2016-7478,CVE-2016-7479,CVE-2016-7480,CVE-2016-9138,CVE-2017-5340
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    php7-7.0.7-35.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    php7-7.0.7-35.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php7-7.0.7-35.1
Comment 9 Swamp Workflow Management 2017-03-02 14:12:53 UTC
openSUSE-SU-2017:0588-1: An update that fixes 13 vulnerabilities is now available.

Category: security (important)
Bug References: 1008026,1019547,1019550,1019568,1019570,1022219,1022255,1022257,1022260,1022262,1022263,1022264,1022265
CVE References: CVE-2016-10158,CVE-2016-10159,CVE-2016-10160,CVE-2016-10161,CVE-2016-10162,CVE-2016-10166,CVE-2016-10167,CVE-2016-10168,CVE-2016-7478,CVE-2016-7479,CVE-2016-7480,CVE-2016-9138,CVE-2017-5340
Sources used:
openSUSE Leap 42.2 (src):    php7-7.0.7-12.1
Comment 10 Matthias Gerstner 2017-03-06 10:07:38 UTC
Affected php7/12 codestream released. openSUSE comes from SLE. Closing.