PHP :: Sec Bug #77586 :: phar_tar_writeheaders

Sec Bug #77586	phar_tar_writeheaders_int() buffer overflow
Submitted:	2019-02-08 11:16 UTC	Modified:	2019-03-04 07:34 UTC
From:	jordy at simplyhacker dot com	Assigned:	bishop (profile)
Status:	Closed	Package:	PHAR related
PHP Version:	7.1.26	OS:	Any
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	jordy at simplyhacker dot com
New email:
PHP Version:		OS:

New Comment:

[2019-02-08 11:16 UTC] jordy at simplyhacker dot com

Description:
------------
A bufferoverflow has been found in the phar_tar_writeheaders_int() function.

As you can see on the following page.
https://github.com/php/php-src/blob/master/ext/phar/tar.c#L767

it does a strncpy to header->linkname from entry->link with the size of entry->link.

As you can see in https://github.com/php/php-src/blob/master/ext/phar/tar.h#L66 , header->linkname is a char of the size 100. Once entry->link contains a value that's bigger than 100 it will overflow the _tar_header structure.

This can be fixed by setting the size argument of strncpy to sizeof(header->linkname) for example:

strncpy(header.linkname, entry->link, strlen(header->linkname);

Kind Regards,

Jordy Zomer


Test script:
---------------
None yet.

Expected result:
----------------
None

Actual result:
--------------
None

Patches

issue-77586-buff-overflow (last revision 2019-02-13 05:17 UTC by bishop@php.net)
issue-77586-buff-overflow.patch (last revision 2019-02-11 21:16 UTC by bishop@php.net)
phar_tar_writeheaders.patch (last revision 2019-02-08 11:16 UTC by jordy at simplyhacker dot com)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2019-02-10 02:00 UTC] stas@php.net

-Assigned To: +Assigned To: bishop

[2019-02-11 18:16 UTC] bishop@php.net

-Package: *Compression related +Package: PHAR related

[2019-02-11 20:23 UTC] bishop@php.net

-Status: Assigned +Status: Analyzed

[2019-02-11 20:45 UTC] bishop@php.net

Phar traverses the if (entry->link) condition only when the entry is a symlink. Bug 65332, however, prevents that from occurring.

[2019-02-11 21:12 UTC] bishop@php.net

-Status: Analyzed +Status: Verified

[2019-02-11 21:16 UTC] bishop@php.net

The following patch has been added/updated:

Patch Name: issue-77586-buff-overflow.patch
Revision:   1549919797
URL:        https://bugs.php.net/patch-display.php?bug=77586&patch=issue-77586-buff-overflow.patch&revision=1549919797

[2019-02-11 21:20 UTC] bishop@php.net

Unified diff against PHP-7.1 attached.

[2019-02-12 14:59 UTC] bishop@php.net

Classifying as LOW severity, because of aforementioned bug 65332, under the criterion:

> This issue allows theoretical compromise of security, but practical attack is usually impossible...

https://wiki.php.net/security#low_severity

[2019-02-12 15:01 UTC] bishop@php.net

-Status: Verified +Status: Feedback

[2019-02-12 15:01 UTC] bishop@php.net

OP, please review patch and provide any additional comments before final merge.

[2019-02-13 05:17 UTC] bishop@php.net

The following patch has been added/updated:

Patch Name: issue-77586-buff-overflow
Revision:   1550035076
URL:        https://bugs.php.net/patch-display.php?bug=77586&patch=issue-77586-buff-overflow&revision=1550035076

[2019-02-13 08:16 UTC] jordy at simplyhacker dot com

-Status: Feedback +Status: Assigned

[2019-02-13 08:16 UTC] jordy at simplyhacker dot com

Hey Bishop,

It looks like I don't have access to the patch.

Can you give me access or comment it?

Kind Regards,

Jordy

[2019-02-13 17:30 UTC] cmb@php.net

Bishop, you can provide the patch as *secret* gist[1] which is
quite customary for security patches.

[1] <https://gist.github.com/>

[2019-02-13 18:22 UTC] bishop@php.net

-Status: Assigned +Status: Feedback

[2019-02-13 18:22 UTC] bishop@php.net

Ack, @cmb. I had already emailed the patch to the OP, but will use a different approach for future sec bug.

[2019-02-24 04:22 UTC] php-bugs at lists dot php dot net

No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.

[2019-03-04 06:31 UTC] stas@php.net

-Status: No Feedback +Status: Open

[2019-03-04 07:34 UTC] stas@php.net

-PHP Version: master-Git-2019-02-08 (Git) +PHP Version: 7.1.26

[2019-03-04 07:35 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e0f5d62bd6690169998474b62f92a8c5ddf0e699
Log: Fix bug #77586 - phar_tar_writeheaders_int() buffer overflow

[2019-03-04 07:35 UTC] stas@php.net

-Status: Assigned +Status: Closed

[2019-04-29 07:09 UTC] bishop@php.net

Related To: Bug #77919

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 10:01:29 2024 UTC