Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 22 Dec 2015 12:12:13 -0500 (EST)
From: cve-assign@...re.org
To: emmanuel.law@...il.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, security@....net
Subject: Re: CVE Request: Use after free in PHP Collator::sortWithSortKeys function

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> I reported a use after free in PHP's Intl extension. The vulnerability
> is in Collator::sortWithSortKeys function. Only Php 7.0.0 is affected.
> 
> This can potentially be remotely exploitable if the sorting function
> is called on a user supplied array.
> 
> https://bugs.php.net/bug.php?id=71020

>>   - Array is destroyed via zval_ptr_dtor( array );
>>   - sortKeyIndxBuf[0....0xba].zstr are now dangling pointers
>>   - New array initialized (Hashtable with initial element size of 8)
>>   - As the dangling pointers are added to array, the size of the Hashtable grows.
>>   - As the Hashtable grows, it's allocated more memory via zend_hash_do_resize()
>>   - It will then be allocated memory that co-incides with an address
>>     pointed to by the dangling pointer sortKeyIndxBuf[j].zstr. Thus
>>     sortKeyIndxBuf[j].zstr now no longer points to a valid zval.
>>   - ... it will access dereference whatever is the value within this "corrupted zval"

>> [2015-12-07 19:04 UTC] ab@....net
>> Yeah, we should have kept this till short before the release, as usually done
>> for security patches.

Use CVE-2015-8616.


Also, while we're doing CVEs for PHP 7.0.1, this one is CVE-2015-8617:

  https://bugs.php.net/bug.php?id=71105
  http://php.net/ChangeLog-7.php
  https://github.com/php/php-src/commit/b101a6bbd4f2181c360bd38e7683df4a03cba83e

  [2015-12-13 02:48 UTC] laruence@....net ... this is a security fix

  A format string vulnerability exists in PHP-7.0.0 due to how
  non-existent class names are handled. ... Adding a "%s" as the
  second parameter there seems to fix the issue.


If anyone is familiar with "Fixed double free in error condition of
format printer" in that changelog and wants a CVE ID, please let us
know.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWeYPqAAoJEL54rhJi8gl5xLsP/irDZCa+BewL5P85OM4lSVpH
EXymkZ8YPztD9d2F0ulbworvpZfM5HKASUHIAM1GwpHm4yOvUvIZKh+U7h0/S8bM
BEeURKkhCH3IO/fpPC9P3rMK9psBMuLpWLOvOBLDdDVRhnL79SfGa+sMlTZa66BF
E+a4hSpjAj9zIz9rL3kYfVcQDNb8AAlHvtCBNMawTt6fOvG2+Be1jKRYmp4RZYjK
6ypArIvMpsRqN3DaYgT44xVR73MgHBk3AmiS8aFzWHNBC3NC7FeYRCth9Zj/MXu+
4wRBOnTkDsBve/zTHjhDaa+689Qqtj5y+i7WBjnG+0FA1/u9gLm2jq2RfBMK03QC
vo1789S/49E/DqJ62IwfgBuZoqZWwN2CcScl1f2oevqB2MqyJEFlBIXr/Wz1XrOK
UPRhheFu70xsh+S1C+2a73CROBuVcoe5IUcACSyTRCBTCY6kZhi+pekPfqG/dpZi
tTHNeY+BBdfmFOGE73GacgVZgAotLi0oYn6FtAevW4Tpncg/5q0jpDkbLzl5ph8i
YgEbh+NKnK/8ozJ1f81fMk7ABpv5nnElnxh+PLAgtMns91CjGERcE+iPX/eEkJcP
OuWyEzRXmGiegWj2wSoePSHqyehvMHg5HIFLQewUUcgAn5Qww8EZoF/kG2dH1v7G
ugNG8OFxuFJlXpNRTaGH
=4znN
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ