Bugzilla – Bug 1175223
VUL-1: CVE-2020-7068: php5,php72,php7,php74,php53: php: Use of freed hash key in the phar_parse_zipfile function
Last modified: 2020-09-23 06:50:21 UTC
rh#1868109 he phar_parse_zipfile function had use-after-free vulnerability because of mishandling of the actual_alias variable. ----- ext/phar/zip.c ----- int phar_parse_zipfile(php_stream *fp, char *fname, size_t fname_len, char *alias, size_t alias_len, phar_archive_data** pphar, char **error) /* {{{ */ { ... mydata->alias = entry.is_persistent ? pestrndup(actual_alias, mydata->alias_len, 1) : actual_alias; if (entry.is_persistent) { efree(actual_alias); } zend_hash_str_add_ptr(&(PHAR_G(phar_alias_map)), actual_alias, mydata->alias_len, mydata); ... --------------------------- `actual_alias` variable is allocated by estrndup function, which string is part of data of the zip file. The above code snippet `mydata->alias` is assigned by `pestrndup(actual_alias, mydata->alias_len, 1)` if entry.is_persistent is true. Or `mydata->alias` is assigned by `actual_alias` variable. And if `entry.is_persistent` is true, `actual_alias` variable is freed by invoke efree function. `actual_alias` variable is used invoke of zend_hash_str_add_ptr function as 2nd argument. Problem is that `actual_alias` variable is freed if `entry.is_persistent` is true, the key of `phar_alias_map` will use freed memory. `entry.is_persistent` is true if `phar.cache_list` fields is defined in php.ini file. So if `phar.cache_list` is defined with target phar path so that `entry.is_persistent` is true, then it can be that `phar_alias_map` hash key would use sensitive freed memory data such as heap addresses that addresses set via linked list after invoke the efree function. Possibly affected versions: php 7.2.32, php 7.3.20, php 7.4.8 Upstream Reference: https://bugs.php.net/bug.php?id=79797 https://www.php.net/ChangeLog-7.php References: https://bugzilla.redhat.com/show_bug.cgi?id=1868109 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-7068 https://access.redhat.com/security/cve/CVE-2020-7068
tracking as affected: - SUSE:SLE-12:Update / php7 - SUSE:SLE-12:Update / php72 - SUSE:SLE-12:Update / php74 - SUSE:SLE-15:Update / php7 - SUSE:SLE-15-SP2:Update / php7 contrary to the report, the code is also present in 7.0.X
TW/php7 have the change already in. There is similarly in php5: 687 mydata->alias = entry.is_persistent ? pestrndup(actual_alias, mydata->alias_len, 1) : actual_alias; 688 689 if (entry.is_persistent) { 690 efree(actual_alias); 691 } 692 693 zend_hash_add(&(PHAR_GLOBALS->phar_alias_map), actual_alias, mydata->alias_len, (void*)&mydata, sizeof(phar_archive_data*), NUL L); Will submit for 15sp2/php7, 15/php7, 12/php74, 12/php72, 12/php7, 12/php5, 11/php53. Submitted also for devel:languages:php:php56/php5.
(Please correct me, if I am wrong.)
Packages submitted. I believe all fixed.
SUSE-SU-2020:2403-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1175223 CVE References: CVE-2020-7068 JIRA References: Sources used: SUSE Linux Enterprise Software Development Kit 12-SP5 (src): php7-7.0.7-50.97.1 SUSE Linux Enterprise Module for Web Scripting 12 (src): php7-7.0.7-50.97.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:2404-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1175223 CVE References: CVE-2020-7068 JIRA References: Sources used: SUSE Linux Enterprise Software Development Kit 12-SP5 (src): php74-7.4.6-1.8.1 SUSE Linux Enterprise Module for Web Scripting 12 (src): php74-7.4.6-1.8.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:2405-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1175223 CVE References: CVE-2020-7068 JIRA References: Sources used: SUSE Linux Enterprise Software Development Kit 12-SP5 (src): php72-7.2.5-1.49.1 SUSE Linux Enterprise Module for Web Scripting 12 (src): php72-7.2.5-1.49.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:2455-1: An update that solves one vulnerability and has two fixes is now available. Category: security (moderate) Bug References: 1173786,1174010,1175223 CVE References: CVE-2020-7068 JIRA References: Sources used: SUSE Linux Enterprise Module for Web Scripting 15-SP1 (src): php7-7.2.5-4.61.1 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP1 (src): php7-7.2.5-4.61.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:2456-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1175223 CVE References: CVE-2020-7068 JIRA References: Sources used: SUSE Linux Enterprise Module for Web Scripting 15-SP2 (src): php7-7.4.6-3.6.1 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 (src): php7-7.4.6-3.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:2477-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1175223 CVE References: CVE-2020-7068 JIRA References: Sources used: SUSE Linux Enterprise Module for Web Scripting 12 (src): php5-5.5.14-109.79.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2020:1356-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1175223 CVE References: CVE-2020-7068 JIRA References: Sources used: openSUSE Leap 15.2 (src): php7-7.4.6-lp152.2.6.1, php7-test-7.4.6-lp152.2.6.1
openSUSE-SU-2020:1354-1: An update that solves one vulnerability and has two fixes is now available. Category: security (moderate) Bug References: 1173786,1174010,1175223 CVE References: CVE-2020-7068 JIRA References: Sources used: openSUSE Leap 15.1 (src): php7-7.2.5-lp151.6.32.1, php7-test-7.2.5-lp151.6.32.1
releaed