php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #77586 phar_tar_writeheaders_int() buffer overflow
Submitted: 2019-02-08 11:16 UTC Modified: 2019-03-04 07:34 UTC
From: jordy at simplyhacker dot com Assigned: bishop (profile)
Status: Closed Package: PHAR related
PHP Version: 7.1.26 OS: Any
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: jordy at simplyhacker dot com
New email:
PHP Version: OS:

 

 [2019-02-08 11:16 UTC] jordy at simplyhacker dot com 
Description:
------------
A bufferoverflow has been found in the phar_tar_writeheaders_int() function.

As you can see on the following page.
https://github.com/php/php-src/blob/master/ext/phar/tar.c#L767

it does a strncpy to header->linkname from entry->link with the size of entry->link.

As you can see in https://github.com/php/php-src/blob/master/ext/phar/tar.h#L66 , header->linkname is a char of the size 100. Once entry->link contains a value that's bigger than 100 it will overflow the _tar_header structure.

This can be fixed by setting the size argument of strncpy to sizeof(header->linkname) for example:

strncpy(header.linkname, entry->link, strlen(header->linkname);

Kind Regards,

Jordy Zomer


Test script:
---------------
None yet.

Expected result:
----------------
None

Actual result:
--------------
None

Patches

issue-77586-buff-overflow (last revision 2019-02-13 05:17 UTC by bishop@php.net)
issue-77586-buff-overflow.patch (last revision 2019-02-11 21:16 UTC by bishop@php.net)
phar_tar_writeheaders.patch (last revision 2019-02-08 11:16 UTC by jordy at simplyhacker dot com)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-02-10 02:00 UTC] stas@php.net
-Assigned To: +Assigned To: bishop
 [2019-02-11 18:16 UTC] bishop@php.net
-Package: *Compression related +Package: PHAR related
 [2019-02-11 20:23 UTC] bishop@php.net
-Status: Assigned +Status: Analyzed
 [2019-02-11 20:45 UTC] bishop@php.net 
Phar traverses the if (entry->link) condition only when the entry is a symlink. Bug 65332, however, prevents that from occurring.
 [2019-02-11 21:12 UTC] bishop@php.net
-Status: Analyzed +Status: Verified
 [2019-02-11 21:16 UTC] bishop@php.net 
The following patch has been added/updated:

Patch Name: issue-77586-buff-overflow.patch
Revision:   1549919797
URL:        https://bugs.php.net/patch-display.php?bug=77586&patch=issue-77586-buff-overflow.patch&revision=1549919797
 [2019-02-11 21:20 UTC] bishop@php.net 
Unified diff against PHP-7.1 attached.
 [2019-02-12 14:59 UTC] bishop@php.net 
Classifying as LOW severity, because of aforementioned bug 65332, under the criterion:

> This issue allows theoretical compromise of security, but practical attack is usually impossible...

https://wiki.php.net/security#low_severity
 [2019-02-12 15:01 UTC] bishop@php.net
-Status: Verified +Status: Feedback
 [2019-02-12 15:01 UTC] bishop@php.net 
OP, please review patch and provide any additional comments before final merge.
 [2019-02-13 05:17 UTC] bishop@php.net 
The following patch has been added/updated:

Patch Name: issue-77586-buff-overflow
Revision:   1550035076
URL:        https://bugs.php.net/patch-display.php?bug=77586&patch=issue-77586-buff-overflow&revision=1550035076
 [2019-02-13 08:16 UTC] jordy at simplyhacker dot com
-Status: Feedback +Status: Assigned
 [2019-02-13 08:16 UTC] jordy at simplyhacker dot com 
Hey Bishop,

It looks like I don't have access to the patch.

Can you give me access or comment it?

Kind Regards,

Jordy
 [2019-02-13 17:30 UTC] cmb@php.net 
Bishop, you can provide the patch as *secret* gist[1] which is
quite customary for security patches.

[1] <https://gist.github.com/>
 [2019-02-13 18:22 UTC] bishop@php.net
-Status: Assigned +Status: Feedback
 [2019-02-13 18:22 UTC] bishop@php.net 
Ack, @cmb. I had already emailed the patch to the OP, but will use a different approach for future sec bug.
 [2019-02-24 04:22 UTC] php-bugs at lists dot php dot net 
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 [2019-03-04 06:31 UTC] stas@php.net
-Status: No Feedback +Status: Open
 [2019-03-04 07:34 UTC] stas@php.net
-PHP Version: master-Git-2019-02-08 (Git) +PHP Version: 7.1.26
 [2019-03-04 07:35 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e0f5d62bd6690169998474b62f92a8c5ddf0e699
Log: Fix bug #77586 - phar_tar_writeheaders_int() buffer overflow
 [2019-03-04 07:35 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2019-04-29 07:09 UTC] bishop@php.net 
Related To: Bug #77919
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Apr 18 12:01:28 2024 UTC