Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 18 May 2015 10:13:34 +1200
From: Emmanuel Law <>
Subject: [CVE Request/Advisory] Multiple vulnerabilities in PHP's handling of
 Phar files


PHP has the built-in Phar & PharData functionality since 5.3.0. It allows
developers to use them to manipulate the following archive types: tar, zip,
phar. Serveral vulnerabilities were found in the Phar extenion.

[1: CVE Request - Memory Corruption in phar_parse_tarfile when entry
filename starts with null ]
 Description: ------------ This is a single byte memory corruption
vulnerability. It is triggered when a tar entry->filename starts with a
null byte. On a x86 machine, it has the potential to corrupt the heap chunk
metadata.On x64 machine, it has the potential to corrupt 1 byte at the
offset entry.filename+0xFFFFFFFF Affected versions: PHP <= 5.6.8 Bug
Report: Patch:;a=commit;h=c27f012b7a447e59d4a704688971cbfa7dddaa74

Can a CVE be assign for this please?

[2: CVE-2015-3307 - Heap metadata corruption when parsing tar file in
phar_tar_process_metadata()] Description: ------------ This is a
vulnerability whereby the Heap header gets misaligned resulting in the
corruption of the heap chunk's metadata. A heap chunk is allocated in
ext/phar/tar.c:167 metadata = (char *) safe_emalloc(1,
entry->uncompressed_filesize, 1); A reference to this heap chunk is passed
into phar_parse_metadata() at ext/phar/tar.c:176 if
(phar_parse_metadata(&metadata, &entry->metadata,
entry->uncompressed_filesize TSRMLS_CC) == FAILURE) { The following gets
called within phar_parse_metadata:611 when zip_metadata_len==0
PHAR_GET_32(*buffer, buf_len); This moves the pointer referencing the heap
chunk by 4bytes. When the heap chunk gets freeed at at tar.c:177:
efree(metadata); The heap chunk is now misaligned by 4 bytes. In
otherwords: ZEND_MM_HEADER_OF(metadata).info._size is now
ZEND_MM_HEADER_OF(metadata).info._prev and
ZEND_MM_HEADER_OF(metadata).info._prev is tained with the body's data.
Affected versions: PHP <= 5.6.8RC1 Bug Report: Patch:;a=commit;h=17cbd0b5b78a7500f185b3781a2149881bfff8ae
This patch was for CVE-2015-2783, but it inadvertently resolved this
vulnerability as well. The vulnerable line that was removed was on

PHAR_GET_32(*buffer, buf_len);


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ