Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 18 May 2015 10:13:34 +1200
From: Emmanuel Law <>
Subject: [CVE Request/Advisory] Multiple vulnerabilities in PHP's handling of
 Phar files


PHP has the built-in Phar & PharData functionality since 5.3.0. It allows
developers to use them to manipulate the following archive types: tar, zip,
phar. Serveral vulnerabilities were found in the Phar extenion.

[1: CVE Request - Memory Corruption in phar_parse_tarfile when entry
filename starts with null ]
 Description: ------------ This is a single byte memory corruption
vulnerability. It is triggered when a tar entry->filename starts with a
null byte. On a x86 machine, it has the potential to corrupt the heap chunk
metadata.On x64 machine, it has the potential to corrupt 1 byte at the
offset entry.filename+0xFFFFFFFF Affected versions: PHP <= 5.6.8 Bug
Report: Patch:;a=commit;h=c27f012b7a447e59d4a704688971cbfa7dddaa74

Can a CVE be assign for this please?

[2: CVE-2015-3307 - Heap metadata corruption when parsing tar file in
phar_tar_process_metadata()] Description: ------------ This is a
vulnerability whereby the Heap header gets misaligned resulting in the
corruption of the heap chunk's metadata. A heap chunk is allocated in
ext/phar/tar.c:167 metadata = (char *) safe_emalloc(1,
entry->uncompressed_filesize, 1); A reference to this heap chunk is passed
into phar_parse_metadata() at ext/phar/tar.c:176 if
(phar_parse_metadata(&metadata, &entry->metadata,
entry->uncompressed_filesize TSRMLS_CC) == FAILURE) { The following gets
called within phar_parse_metadata:611 when zip_metadata_len==0
PHAR_GET_32(*buffer, buf_len); This moves the pointer referencing the heap
chunk by 4bytes. When the heap chunk gets freeed at at tar.c:177:
efree(metadata); The heap chunk is now misaligned by 4 bytes. In
otherwords: ZEND_MM_HEADER_OF(metadata).info._size is now
ZEND_MM_HEADER_OF(metadata).info._prev and
ZEND_MM_HEADER_OF(metadata).info._prev is tained with the body's data.
Affected versions: PHP <= 5.6.8RC1 Bug Report: Patch:;a=commit;h=17cbd0b5b78a7500f185b3781a2149881bfff8ae
This patch was for CVE-2015-2783, but it inadvertently resolved this
vulnerability as well. The vulnerable line that was removed was on

PHAR_GET_32(*buffer, buf_len);


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.