php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #61065 Secunia SA44335 - arbitrary code execution
Submitted: 2012-02-12 21:43 UTC Modified: 2014-06-19 16:31 UTC
From: ty at sarna dot org Assigned: stas (profile)
Status: Closed Package: PHAR related
PHP Version: 5.3.10 OS: All
Private report: No CVE-ID: 2012-2386
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: ty at sarna dot org
New email:
PHP Version: OS:

 

 [2012-02-12 21:43 UTC] ty at sarna dot org
Description:
------------
I see no evidence that php.net is aware of this issue, but it seems known 
elsewhere (NetBSD pkgsrc reports 5.3.10 as vulnerable due to this bug, and 
refuses to install without an override)


See:


http://secunia.com/advisories/44335
http://0x1byte.blogspot.com/2011/04/php-phar-extension-heap-overflow.html


"The vulnerability is caused due to an integer overflow error within the phar 
extension in the "phar_parse_tarfile()" function (ext/phar/tar.c) and can be 
exploited to cause a heap-based buffer overflow via a specially crafted TAR 
file.

Successful exploitation may allow execution of arbitrary code.

The vulnerability is reported in version 5.3.6. Other versions may also be 
affected."





Patches

phar.diff (last revision 2012-05-13 02:20 UTC by rasmus@php.net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-05-13 02:20 UTC] rasmus@php.net
The following patch has been added/updated:

Patch Name: phar.diff
Revision:   1336875629
URL:        https://bugs.php.net/patch-display.php?bug=61065&patch=phar.diff&revision=1336875629
 [2012-05-13 14:24 UTC] pajoye@php.net
Patch looks good too and builds fine. Maybe add a comment to say that filename_len 
and uncompressed_filesize are uint32 as it may not be obvious (< 0 or >= checks 
instead :).
 [2012-05-13 16:05 UTC] pajoye@php.net
We also need a CVE for that one, anyone can request one please?
 [2012-05-20 18:09 UTC] felipe@php.net
CVE id has been requested.
 [2012-05-22 17:51 UTC] felipe@php.net
-CVE-ID: +CVE-ID: 2012-2386
 [2012-05-30 07:29 UTC] stas@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2012-05-30 07:29 UTC] stas@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: stas
 [2012-06-14 21:53 UTC] vdanen@php.net
Is there a particular reason why the CVE name wasn't mentioned in the changelog?
 [2012-06-14 23:43 UTC] felipe@php.net
I've added it to the changelog. (in some minutes it'll appears in the site)

Thanks.
 [2012-07-04 22:23 UTC] helly@php.net
Why did we not simply use safe_pemalloc() here?
 [2014-10-07 23:25 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=4eb802bb14b05b82573457bc0f528e61ca7ddc45
Log: fix bug #61065 (cherry picked from commit a10e778bfb7ce9caa1f91666ddf2705db7982d68)
 [2014-10-07 23:25 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=a10e778bfb7ce9caa1f91666ddf2705db7982d68
Log: fix bug #61065
 [2014-10-07 23:36 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=4eb802bb14b05b82573457bc0f528e61ca7ddc45
Log: fix bug #61065 (cherry picked from commit a10e778bfb7ce9caa1f91666ddf2705db7982d68)
 [2014-10-07 23:36 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=a10e778bfb7ce9caa1f91666ddf2705db7982d68
Log: fix bug #61065
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Dec 03 17:01:29 2024 UTC