Bugzilla – Bug 935227
VUL-0: CVE-2015-3411: php5,php53: missing null byte checks for paths in various PHP extensions
Last modified: 2023-01-11 23:22:18 UTC
via https://bugzilla.redhat.com/show_bug.cgi?id=1213407 PHP versions 5.4.40, 5.5.24, and 5.6.8 provide a fix for multiple PHP extensions which did not check for NULL byte in a path when processing/reading a file which might lead to a sensitive information disclosure. Upstream fix: http://git.php.net/?p=php-src.git;a=commitdiff;h=52b93f0cfd3cba7ff98cc5198df6ca4f23865f80 Upstream bug: https://bugs.php.net/bug.php?id=69353
bugbot adjusting priority
BEFORE $ zypper in php5-dom $ cat test1.php <?php $doc = new DOMDocument(); $doc->load('/etc/fonts/fonts.conf' . chr(0) . 'somethingelse.xml'); echo $doc->saveXML(); ?> $ php test1.php <?xml version="1.0"?> <!DOCTYPE fontconfig SYSTEM "fonts.dtd"> [... whole content of /etc/fonts/fonts.conf ...] $ $ zypper in php5-xmlwriter $ cat test2.php <?php xmlwriter_open_uri('/tmp/thisisatest'. chr(0) . 'foobar.xml'); ?> $ php test2.php $ ls /tmp/thisisatest /tmp/thisisatest $ $ zypper in php5-fileinfo $ cat test3.php <?php $f=finfo_open(FILEINFO_NONE); echo finfo_file($f, '/etc/passwd' . chr(0) . 'foobar.txt'); ?> $ php test3.php ASCII text $ $ cat test4.php <?php var_dump( hash_hmac_file('md5', '/etc/passwd', 'secret') === hash_hmac_file('md5', '/etc/passwd' . chr(0) . 'foobar', 'secret') ); ?> $ php test4.php bool(true) $
(In reply to Marcus Meissner from comment #0) > http://git.php.net/?p=php-src.git;a=commitdiff; > h=52b93f0cfd3cba7ff98cc5198df6ca4f23865f80 This only commit fixes CVE-2015-3411, CVE-2015-3412 (bug 935229) and CVE-2015-4598 (bug 935232).
The main purpose of this commit is to change 's' to 'p' in the second argument of zend_parse_parameters. However, this is not possible for 11sp3/php5.3, see bug 924970 comment 18. So it should be checked if php 5.3 is affected in every case and if yes, fix like 11sp3/php5.3/php-CVE-2015-4026.patch should be added.
oS: mr#313087 12: mr#60828 11sp3: sr#60826 11: sr#60824 10sp3: sr#60822
AFTER $ php test1.php <?xml version="1.0"?> $ $ php test2.php PHP Warning: xmlwriter_open_uri(): Invalid path in /935227/test2.php on line 2 $ $ php test3.php PHP Warning: finfo_file(): Invalid filename or path in /935227/test3.php on line 3 $ $ php test4.php PHP Warning: hash_hmac_file(): Invalid path in /935227/test4.php on line 5 bool(false) $
openSUSE-SU-2015:1197-1: An update that fixes 12 vulnerabilities is now available. Category: security (important) Bug References: 935224,935225,935226,935227,935232,935234,935274,935275 CVE References: CVE-2015-3411,CVE-2015-3412,CVE-2015-4598,CVE-2015-4599,CVE-2015-4600,CVE-2015-4601,CVE-2015-4602,CVE-2015-4603,CVE-2015-4604,CVE-2015-4605,CVE-2015-4643,CVE-2015-4644 Sources used: openSUSE 13.2 (src): php5-5.6.1-30.6 openSUSE 13.1 (src): php5-5.4.20-61.5
SUSE-SU-2015:1253-1: An update that fixes 15 vulnerabilities is now available. Category: security (important) Bug References: 919080,927147,931421,931769,931772,931776,933227,935224,935226,935227,935232,935234,935274,935275 CVE References: CVE-2015-3411,CVE-2015-3412,CVE-2015-4021,CVE-2015-4022,CVE-2015-4024,CVE-2015-4026,CVE-2015-4148,CVE-2015-4598,CVE-2015-4599,CVE-2015-4600,CVE-2015-4601,CVE-2015-4602,CVE-2015-4603,CVE-2015-4643,CVE-2015-4644 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): php5-5.5.14-30.1 SUSE Linux Enterprise Module for Web Scripting 12 (src): php5-5.5.14-30.1
SUSE-SU-2015:1253-2: An update that fixes 15 vulnerabilities is now available. Category: security (important) Bug References: 919080,927147,931421,931769,931772,931776,933227,935224,935226,935227,935232,935234,935274,935275 CVE References: CVE-2015-3411,CVE-2015-3412,CVE-2015-4021,CVE-2015-4022,CVE-2015-4024,CVE-2015-4026,CVE-2015-4148,CVE-2015-4598,CVE-2015-4599,CVE-2015-4600,CVE-2015-4601,CVE-2015-4602,CVE-2015-4603,CVE-2015-4643,CVE-2015-4644 Sources used: SUSE Linux Enterprise Module for Web Scripting 12 (src): php5-5.5.14-30.1
SUSE-SU-2015:1265-1: An update that fixes 11 vulnerabilities is now available. Category: security (important) Bug References: 919080,933227,935074,935224,935226,935227,935232,935234,935274,935275 CVE References: CVE-2015-3411,CVE-2015-3412,CVE-2015-4148,CVE-2015-4598,CVE-2015-4599,CVE-2015-4600,CVE-2015-4601,CVE-2015-4602,CVE-2015-4603,CVE-2015-4643,CVE-2015-4644 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): php53-5.3.17-0.43.1 SUSE Linux Enterprise Server 11 SP3 for VMware (src): php53-5.3.17-0.43.1 SUSE Linux Enterprise Server 11 SP3 (src): php53-5.3.17-0.43.1
released, closing
SUSE-SU-2016:1638-1: An update that fixes 85 vulnerabilities is now available. Category: security (important) Bug References: 884986,884987,884989,884990,884991,884992,885961,886059,886060,893849,893853,902357,902360,902368,910659,914690,917150,918768,919080,921950,922451,922452,923945,924972,925109,928506,928511,931421,931769,931772,931776,933227,935074,935224,935226,935227,935229,935232,935234,935274,935275,938719,938721,942291,942296,945412,945428,949961,968284,969821,971611,971612,971912,973351,973792,976996,976997,977003,977005,977991,977994,978827,978828,978829,978830,980366,980373,980375,981050,982010,982011,982012,982013,982162 CVE References: CVE-2004-1019,CVE-2006-7243,CVE-2014-0207,CVE-2014-3478,CVE-2014-3479,CVE-2014-3480,CVE-2014-3487,CVE-2014-3515,CVE-2014-3597,CVE-2014-3668,CVE-2014-3669,CVE-2014-3670,CVE-2014-4049,CVE-2014-4670,CVE-2014-4698,CVE-2014-4721,CVE-2014-5459,CVE-2014-8142,CVE-2014-9652,CVE-2014-9705,CVE-2014-9709,CVE-2014-9767,CVE-2015-0231,CVE-2015-0232,CVE-2015-0273,CVE-2015-1352,CVE-2015-2301,CVE-2015-2305,CVE-2015-2783,CVE-2015-2787,CVE-2015-3152,CVE-2015-3329,CVE-2015-3411,CVE-2015-3412,CVE-2015-4021,CVE-2015-4022,CVE-2015-4024,CVE-2015-4026,CVE-2015-4116,CVE-2015-4148,CVE-2015-4598,CVE-2015-4599,CVE-2015-4600,CVE-2015-4601,CVE-2015-4602,CVE-2015-4603,CVE-2015-4643,CVE-2015-4644,CVE-2015-5161,CVE-2015-5589,CVE-2015-5590,CVE-2015-6831,CVE-2015-6833,CVE-2015-6836,CVE-2015-6837,CVE-2015-6838,CVE-2015-7803,CVE-2015-8835,CVE-2015-8838,CVE-2015-8866,CVE-2015-8867,CVE-2015-8873,CVE-2015-8874,CVE-2015-8879,CVE-2016-2554,CVE-2016-3141,CVE-2016-3142,CVE-2016-3185,CVE-2016-4070,CVE-2016-4073,CVE-2016-4342,CVE-2016-4346,CVE-2016-4537,CVE-2016-4538,CVE-2016-4539,CVE-2016-4540,CVE-2016-4541,CVE-2016-4542,CVE-2016-4543,CVE-2016-4544,CVE-2016-5093,CVE-2016-5094,CVE-2016-5095,CVE-2016-5096,CVE-2016-5114 Sources used: SUSE Linux Enterprise Server 11-SP2-LTSS (src): php53-5.3.17-47.1
It seems that SUSE:SLE-12:Update/php74 haven't received the fix and is still maintained. Petr, could you please submit the fix there? :) Btw, SUSE:SLE-11:Update/php5 doesn't have the fix as well, but is it still maintained?
(In reply to Marcus Meissner from comment #0) > PHP versions 5.4.40, 5.5.24, and 5.6.8 provide a fix for multiple PHP > extensions which did not check for NULL byte in a path when > processing/reading a file which might lead to a sensitive information > disclosure. This is long fixed before php 7.0.0 was out. Do you want to add the CVE and bug number into rpm changes?
(In reply to Petr Gajdos from comment #15) > (In reply to Marcus Meissner from comment #0) > > PHP versions 5.4.40, 5.5.24, and 5.6.8 provide a fix for multiple PHP > > extensions which did not check for NULL byte in a path when > > processing/reading a file which might lead to a sensitive information > > disclosure. > > This is long fixed before php 7.0.0 was out. Do you want to add the CVE and > bug number into rpm changes? I still can't see the content of the patch in php74, maybe the codebase changed but this is still fixed? Moreover, php5 contains the patch, but our tracking system doesn't spot it, don't know why...
Actually, I see this patch applied in php 7.4, except for the hunk concerning dom_load_html(), right?
(In reply to Petr Gajdos from comment #17) > Actually, I see this patch applied in php 7.4, except for the hunk > concerning dom_load_html(), right? https://github.com/php/php-src/commit/f7d7befae8bcc2db0093f8adaa9f72eeb7ad891e This seems to solved by other check below in case it is file (s stands for string and p for path). Or am I missing something? Should I try some of the testcase below?
(In reply to Petr Gajdos from comment #18) > (In reply to Petr Gajdos from comment #17) > > Actually, I see this patch applied in php 7.4, except for the hunk > > concerning dom_load_html(), right? > > https://github.com/php/php-src/commit/ > f7d7befae8bcc2db0093f8adaa9f72eeb7ad891e > > This seems to solved by other check below in case it is file (s stands for > string and p for path). Or am I missing something? Should I try some of the > testcase below? Ah yes I find it, and also the patch, my apologies... Sorry for the noise
:/935227 # php test1.php <?xml version="1.0"?> :/935227 # This expected AFTER (comment 6).
(In reply to Thomas Leroy from comment #19) > (In reply to Petr Gajdos from comment #18) > > (In reply to Petr Gajdos from comment #17) > > > Actually, I see this patch applied in php 7.4, except for the hunk > > > concerning dom_load_html(), right? > > > > https://github.com/php/php-src/commit/ > > f7d7befae8bcc2db0093f8adaa9f72eeb7ad891e > > > > This seems to solved by other check below in case it is file (s stands for > > string and p for path). Or am I missing something? Should I try some of the > > testcase below? > > Ah yes I find it, and also the patch, my apologies... Sorry for the noise Okay, no problem.
So fixed indeed.
SUSE-SU-2023:0072-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1206958,923946,935227 CVE References: CVE-2014-9709,CVE-2015-3411,CVE-2022-31631 JIRA References: Sources used: SUSE Linux Enterprise Software Development Kit 12-SP5 (src): php74-7.4.33-1.50.2 SUSE Linux Enterprise Module for Web Scripting 12 (src): php74-7.4.33-1.50.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.