[v3.2] php: multiple vulnerabilities (CVE-2015-6831, CVE-2015-6832, CVE-2015-6833)
The CVE IDs in this message apply to PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12.
These look like they can be exploited for code execution.
There is related discussion in the http://www.openwall.com/lists/oss-security/2015/02/05/5 post. The essential question is whether there should be a new CVE ID for every report where exploitation depends on the attacker’s ability to control the argument to unserialize. We think these reports are important to relatively few people, i.e., either because their applications don’t allow arbitrary input to unserialize, or because their applications do allow arbitrary input to unserialize and there’s already a much simpler attack approach available. In other words, in practice, no privilege boundary is crossed. However, it’s conceivable for an application to have constraints on how unserialize is used, such that many attacks are blocked, but these remote-code-execution attacks involving use-after-free bugs aren’t blocked. For example, see some of the discussion linked from the https://wiki.php.net/rfc/secure\_unserialize page.
https://bugs.php.net/bug.php?id=70166
https://bugs.php.net/bug.php?id=70155 (dup)
Use After Free Vulnerability in unserialize() with SPLArrayObject
https://bugs.php.net/bug.php?id=70168
Use After Free Vulnerability in unserialize() with SplObjectStorage
https://bugs.php.net/bug.php?id=70169
Use After Free Vulnerability in unserialize() with SplDoublyLinkedList
In the current case, we feel it is best to combine a number of taoguangchen () icloud com discoveries into one CVE. Use CVE-2015-6831 for 70155/70166/70168/70169.
https://bugs.php.net/bug.php?id=70068
Dangling pointer in the unserialization of ArrayObject items
impact: remote code execution
Use CVE-2015-6832 for this sean.heelan () gmail com discovery.
https://bugs.php.net/bug.php?id=70019
Files extracted from archive may be placed outside of destination
directory
Use CVE-2015-6833. This seems to be a marginal case in which the issue can be interpreted as a security enhancement because the vendor (2015-07-08 14:30) states that the behavior was intended. However, for most people, “Extract the contents of a phar archive to a directory” (see the http://php.net/manual/en/phar.extractto.php page) probably doesn’t suggest that an arbitrary set of directories can be chosen by the author of the archive. Also, we already have CVE-2008-5658.
Reference:
(from redmine: issue id 4631, created on 2015-09-09, closed on 2015-09-10)
- Relations:
- parent #4627 (closed)