Date: Tue, 22 Dec 2015 12:12:13 -0500 (EST) From: cve-assign@...re.org To: emmanuel.law@...il.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, security@....net Subject: Re: CVE Request: Use after free in PHP Collator::sortWithSortKeys function -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > I reported a use after free in PHP's Intl extension. The vulnerability > is in Collator::sortWithSortKeys function. Only Php 7.0.0 is affected. > > This can potentially be remotely exploitable if the sorting function > is called on a user supplied array. > > https://bugs.php.net/bug.php?id=71020 >> - Array is destroyed via zval_ptr_dtor( array ); >> - sortKeyIndxBuf[0....0xba].zstr are now dangling pointers >> - New array initialized (Hashtable with initial element size of 8) >> - As the dangling pointers are added to array, the size of the Hashtable grows. >> - As the Hashtable grows, it's allocated more memory via zend_hash_do_resize() >> - It will then be allocated memory that co-incides with an address >> pointed to by the dangling pointer sortKeyIndxBuf[j].zstr. Thus >> sortKeyIndxBuf[j].zstr now no longer points to a valid zval. >> - ... it will access dereference whatever is the value within this "corrupted zval" >> [2015-12-07 19:04 UTC] ab@....net >> Yeah, we should have kept this till short before the release, as usually done >> for security patches. Use CVE-2015-8616. Also, while we're doing CVEs for PHP 7.0.1, this one is CVE-2015-8617: https://bugs.php.net/bug.php?id=71105 http://php.net/ChangeLog-7.php https://github.com/php/php-src/commit/b101a6bbd4f2181c360bd38e7683df4a03cba83e [2015-12-13 02:48 UTC] laruence@....net ... this is a security fix A format string vulnerability exists in PHP-7.0.0 due to how non-existent class names are handled. ... Adding a "%s" as the second parameter there seems to fix the issue. If anyone is familiar with "Fixed double free in error condition of format printer" in that changelog and wants a CVE ID, please let us know. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJWeYPqAAoJEL54rhJi8gl5xLsP/irDZCa+BewL5P85OM4lSVpH EXymkZ8YPztD9d2F0ulbworvpZfM5HKASUHIAM1GwpHm4yOvUvIZKh+U7h0/S8bM BEeURKkhCH3IO/fpPC9P3rMK9psBMuLpWLOvOBLDdDVRhnL79SfGa+sMlTZa66BF E+a4hSpjAj9zIz9rL3kYfVcQDNb8AAlHvtCBNMawTt6fOvG2+Be1jKRYmp4RZYjK 6ypArIvMpsRqN3DaYgT44xVR73MgHBk3AmiS8aFzWHNBC3NC7FeYRCth9Zj/MXu+ 4wRBOnTkDsBve/zTHjhDaa+689Qqtj5y+i7WBjnG+0FA1/u9gLm2jq2RfBMK03QC vo1789S/49E/DqJ62IwfgBuZoqZWwN2CcScl1f2oevqB2MqyJEFlBIXr/Wz1XrOK UPRhheFu70xsh+S1C+2a73CROBuVcoe5IUcACSyTRCBTCY6kZhi+pekPfqG/dpZi tTHNeY+BBdfmFOGE73GacgVZgAotLi0oYn6FtAevW4Tpncg/5q0jpDkbLzl5ph8i YgEbh+NKnK/8ozJ1f81fMk7ABpv5nnElnxh+PLAgtMns91CjGERcE+iPX/eEkJcP OuWyEzRXmGiegWj2wSoePSHqyehvMHg5HIFLQewUUcgAn5Qww8EZoF/kG2dH1v7G ugNG8OFxuFJlXpNRTaGH =4znN -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ