php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #77586 phar_tar_writeheaders_int() buffer overflow
Submitted: 2019-02-08 11:16 UTC Modified: 2019-03-04 07:34 UTC
From: jordy at simplyhacker dot com Assigned: bishop (profile)
Status: Closed Package: PHAR related
PHP Version: 7.1.26 OS: Any
Private report: No CVE-ID: None
 [2019-02-08 11:16 UTC] jordy at simplyhacker dot com
Description:
------------
A bufferoverflow has been found in the phar_tar_writeheaders_int() function.

As you can see on the following page.
https://github.com/php/php-src/blob/master/ext/phar/tar.c#L767

it does a strncpy to header->linkname from entry->link with the size of entry->link.

As you can see in https://github.com/php/php-src/blob/master/ext/phar/tar.h#L66 , header->linkname is a char of the size 100. Once entry->link contains a value that's bigger than 100 it will overflow the _tar_header structure.

This can be fixed by setting the size argument of strncpy to sizeof(header->linkname) for example:

strncpy(header.linkname, entry->link, strlen(header->linkname);

Kind Regards,

Jordy Zomer


Test script:
---------------
None yet.

Expected result:
----------------
None

Actual result:
--------------
None

Patches

issue-77586-buff-overflow (last revision 2019-02-13 05:17 UTC by bishop@php.net)
issue-77586-buff-overflow.patch (last revision 2019-02-11 21:16 UTC by bishop@php.net)
phar_tar_writeheaders.patch (last revision 2019-02-08 11:16 UTC by jordy at simplyhacker dot com)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-02-10 02:00 UTC] stas@php.net
-Assigned To: +Assigned To: bishop
 [2019-02-11 18:16 UTC] bishop@php.net
-Package: *Compression related +Package: PHAR related
 [2019-02-11 20:23 UTC] bishop@php.net
-Status: Assigned +Status: Analyzed
 [2019-02-11 20:45 UTC] bishop@php.net
Phar traverses the if (entry->link) condition only when the entry is a symlink. Bug 65332, however, prevents that from occurring.
 [2019-02-11 21:12 UTC] bishop@php.net
-Status: Analyzed +Status: Verified
 [2019-02-11 21:16 UTC] bishop@php.net
The following patch has been added/updated:

Patch Name: issue-77586-buff-overflow.patch
Revision:   1549919797
URL:        https://bugs.php.net/patch-display.php?bug=77586&patch=issue-77586-buff-overflow.patch&revision=1549919797
 [2019-02-11 21:20 UTC] bishop@php.net
Unified diff against PHP-7.1 attached.
 [2019-02-12 14:59 UTC] bishop@php.net
Classifying as LOW severity, because of aforementioned bug 65332, under the criterion:

> This issue allows theoretical compromise of security, but practical attack is usually impossible...

https://wiki.php.net/security#low_severity
 [2019-02-12 15:01 UTC] bishop@php.net
-Status: Verified +Status: Feedback
 [2019-02-12 15:01 UTC] bishop@php.net
OP, please review patch and provide any additional comments before final merge.
 [2019-02-13 05:17 UTC] bishop@php.net
The following patch has been added/updated:

Patch Name: issue-77586-buff-overflow
Revision:   1550035076
URL:        https://bugs.php.net/patch-display.php?bug=77586&patch=issue-77586-buff-overflow&revision=1550035076
 [2019-02-13 08:16 UTC] jordy at simplyhacker dot com
-Status: Feedback +Status: Assigned
 [2019-02-13 08:16 UTC] jordy at simplyhacker dot com
Hey Bishop,

It looks like I don't have access to the patch.

Can you give me access or comment it?

Kind Regards,

Jordy
 [2019-02-13 17:30 UTC] cmb@php.net
Bishop, you can provide the patch as *secret* gist[1] which is
quite customary for security patches.

[1] <https://gist.github.com/>
 [2019-02-13 18:22 UTC] bishop@php.net
-Status: Assigned +Status: Feedback
 [2019-02-13 18:22 UTC] bishop@php.net
Ack, @cmb. I had already emailed the patch to the OP, but will use a different approach for future sec bug.
 [2019-02-24 04:22 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 [2019-03-04 06:31 UTC] stas@php.net
-Status: No Feedback +Status: Open
 [2019-03-04 07:34 UTC] stas@php.net
-PHP Version: master-Git-2019-02-08 (Git) +PHP Version: 7.1.26
 [2019-03-04 07:35 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e0f5d62bd6690169998474b62f92a8c5ddf0e699
Log: Fix bug #77586 - phar_tar_writeheaders_int() buffer overflow
 [2019-03-04 07:35 UTC] stas@php.net
-Status: Assigned +Status: Closed
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Thu May 23 09:01:32 2019 UTC