Bug 886059 - (CVE-2014-4670) VUL-0: CVE-2014-4670: php5,php53: SPL Iterators use-after-free
(CVE-2014-4670)
VUL-0: CVE-2014-4670: php5,php53: SPL Iterators use-after-free
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/103330/
maint:released:sle11-sp3:58371
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-07-07 14:58 UTC by Victor Pereira
Modified: 2020-05-18 11:53 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2014-07-07 14:58:22 UTC
CVE-2014-4670

Description:
------------
SPL provides a set of iterators to traverse over objects (including internal iterators).
Changes in the object are not projected to the object iterators.
This results in iterators pointing to freed memory.
Calling next on the iterator triggers use-after-free.

Please use CVE-2014-4670 for this bug.

Test script:
---------------
<?php
$list = new SplDoublyLinkedList();
$list->push('a');
$list->push('b');

$list->rewind();
$list->offsetUnset(0);
$list->push('c');
$list->offsetUnset(0);
$list->next();

Actual result:
--------------
$ USE_ZEND_ALLOC=0 valgrind /opt/php/5.5.14/bin/php test.php
==14274== Memcheck, a memory error detector
==14274== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==14274== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==14274== Command: /opt/php/5.5.14/bin/php test.php
==14274==
==14274== Invalid read of size 4
==14274==    at 0x8367BCC: spl_dllist_it_helper_move_forward (spl_dllist.c:989)
==14274==    by 0x852E1B1: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:550)
==14274==    by 0x84F0935: execute_ex (zend_vm_execute.h:363)
==14274==    by 0x8488C71: zend_execute_scripts (zend.c:1316)
==14274==    by 0x842943A: php_execute_script (main.c:2506)
==14274==    by 0x8531447: do_cli (php_cli.c:994)
==14274==    by 0x808149B: main (php_cli.c:1378)
==14274==  Address 0x716b748 is 8 bytes inside a block of size 16 free'd
==14274==    at 0x402750C: free (vg_replace_malloc.c:427)
==14274==    by 0x83688FF: zim_spl_SplDoublyLinkedList_offsetUnset (spl_dllist.c:922)
==14274==    by 0x852E1B1: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:550)
==14274==    by 0x84F0935: execute_ex (zend_vm_execute.h:363)
==14274==    by 0x8488C71: zend_execute_scripts (zend.c:1316)
==14274==    by 0x842943A: php_execute_script (main.c:2506)
==14274==    by 0x8531447: do_cli (php_cli.c:994)
==14274==    by 0x808149B: main (php_cli.c:1378)



References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4670
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-4670.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4670
Comment 1 Swamp Workflow Management 2014-07-07 22:00:58 UTC
bugbot adjusting priority
Comment 5 Petr Gajdos 2014-07-18 08:00:06 UTC
php 5.5.14 affected as well, submitted to factory and sle12.
Comment 6 Bernhard Wiedemann 2014-07-18 08:00:29 UTC
This is an autogenerated message for OBS integration:
This bug (886059) was mentioned in
https://build.opensuse.org/request/show/241423 Factory / php5
Comment 7 Petr Gajdos 2014-07-18 08:02:22 UTC
Packages submitted.
Comment 9 SMASH SMASH 2014-07-21 13:10:59 UTC
Affected packages:

SLE-11-SP3: php53
Comment 10 Swamp Workflow Management 2014-07-30 10:06:22 UTC
SUSE-SU-2014:0938-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 884986,884987,884989,884990,884991,884992,885961,886059,886060
CVE References: CVE-2014-0207,CVE-2014-3478,CVE-2014-3479,CVE-2014-3480,CVE-2014-3487,CVE-2014-3515,CVE-2014-4670,CVE-2014-4698,CVE-2014-4721
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    php53-5.3.17-0.27.1
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    php53-5.3.17-0.27.1
SUSE Linux Enterprise Server 11 SP3 (src):    php53-5.3.17-0.27.1
Comment 11 Victor Pereira 2014-07-30 12:14:29 UTC
fixed and released
Comment 12 Swamp Workflow Management 2014-07-30 18:46:01 UTC
openSUSE-SU-2014:0945-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 885961,886059,886060
CVE References: CVE-2014-4670,CVE-2014-4698,CVE-2014-4721
Sources used:
openSUSE 13.1 (src):    php5-5.4.20-21.1
openSUSE 12.3 (src):    php5-5.3.17-3.25.1
Comment 13 Bernhard Wiedemann 2014-09-17 18:01:34 UTC
This is an autogenerated message for OBS integration:
This bug (886059) was mentioned in
https://build.opensuse.org/request/show/249993 Evergreen:11.4 / php5.openSUSE_Evergreen_11.4
Comment 14 Swamp Workflow Management 2016-06-21 11:10:08 UTC
SUSE-SU-2016:1638-1: An update that fixes 85 vulnerabilities is now available.

Category: security (important)
Bug References: 884986,884987,884989,884990,884991,884992,885961,886059,886060,893849,893853,902357,902360,902368,910659,914690,917150,918768,919080,921950,922451,922452,923945,924972,925109,928506,928511,931421,931769,931772,931776,933227,935074,935224,935226,935227,935229,935232,935234,935274,935275,938719,938721,942291,942296,945412,945428,949961,968284,969821,971611,971612,971912,973351,973792,976996,976997,977003,977005,977991,977994,978827,978828,978829,978830,980366,980373,980375,981050,982010,982011,982012,982013,982162
CVE References: CVE-2004-1019,CVE-2006-7243,CVE-2014-0207,CVE-2014-3478,CVE-2014-3479,CVE-2014-3480,CVE-2014-3487,CVE-2014-3515,CVE-2014-3597,CVE-2014-3668,CVE-2014-3669,CVE-2014-3670,CVE-2014-4049,CVE-2014-4670,CVE-2014-4698,CVE-2014-4721,CVE-2014-5459,CVE-2014-8142,CVE-2014-9652,CVE-2014-9705,CVE-2014-9709,CVE-2014-9767,CVE-2015-0231,CVE-2015-0232,CVE-2015-0273,CVE-2015-1352,CVE-2015-2301,CVE-2015-2305,CVE-2015-2783,CVE-2015-2787,CVE-2015-3152,CVE-2015-3329,CVE-2015-3411,CVE-2015-3412,CVE-2015-4021,CVE-2015-4022,CVE-2015-4024,CVE-2015-4026,CVE-2015-4116,CVE-2015-4148,CVE-2015-4598,CVE-2015-4599,CVE-2015-4600,CVE-2015-4601,CVE-2015-4602,CVE-2015-4603,CVE-2015-4643,CVE-2015-4644,CVE-2015-5161,CVE-2015-5589,CVE-2015-5590,CVE-2015-6831,CVE-2015-6833,CVE-2015-6836,CVE-2015-6837,CVE-2015-6838,CVE-2015-7803,CVE-2015-8835,CVE-2015-8838,CVE-2015-8866,CVE-2015-8867,CVE-2015-8873,CVE-2015-8874,CVE-2015-8879,CVE-2016-2554,CVE-2016-3141,CVE-2016-3142,CVE-2016-3185,CVE-2016-4070,CVE-2016-4073,CVE-2016-4342,CVE-2016-4346,CVE-2016-4537,CVE-2016-4538,CVE-2016-4539,CVE-2016-4540,CVE-2016-4541,CVE-2016-4542,CVE-2016-4543,CVE-2016-4544,CVE-2016-5093,CVE-2016-5094,CVE-2016-5095,CVE-2016-5096,CVE-2016-5114
Sources used:
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    php53-5.3.17-47.1