[php-maint] Bug#850158: Use of uninitialized memory in unserialize()

Henri Salo henri at nerv.fi
Wed Jan 4 13:53:37 UTC 2017


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Package: php7.0
Version: 7.0.14-2
Severity: important
Tags: security, upstream, fixed-upstream

There was found a bug showing that PHP uses uninitialized memory during calls to
`unserialize()`. As the following report shows, the payload supplied to
`unserialize()` may control this uninitialized memory region and thus may be
used to trick PHP into operating on faked objects and calling attacker
controlled destructor function pointers. The supplied proof of concept exploit
practically demonstrates the issue by executing arbitrary code solely by passing
a specially crafted string to `unserialize()`. Even though this particular demo
exploit only works locally this flaw is very likely to also allow for remote
code execution.

Upstream bug report for additional details: https://bugs.php.net/bug.php?id=73832
Fix: https://gist.github.com/anonymous/9fbe5ccbe8e18659bec11ac963fd07a3

- -- 
Henri Salo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJYbP5hAAoJECet96ROqnV0rmIP/j0HpcNDEpNJTeR+JN75jC90
quuTqH98Neibb3WZEHHHksFVbKohmDm/KVQ1E7AWe6+zZ4FfEoPOsBkhoK2Swfv0
VTB7NVKFhlqmPwnVaB3l/6fc58mtyy6ljPcd/KIr1n3DCRbHgo13QmsgHBFSoqMs
WhJ0CB4NR87/qGqmuHabT1wkzwIB90uApbwBlDRpPTA54XWLRPoIZNlb3roh8RGD
lVb9Nb5vUZMGbrL376r6PkL+sZ6QcKemrGF3ZZqiirKcCfstYzhuftPgGLIGc0B2
Ud3IcH5wjxd/h4s4DA9SjZwnYbOlt76e3kcZbUZ4rJF1SEUAr0hfjRcbrEEj/0Ni
5B/z5H+miK4xAy+gyYemKELWhyrjSE5n2f5rN0SEJtTiaoF2XESLFP8HsuVzZyox
KOte7ekNIX0Ev+UvmEGeXawlqKRR+xuIYfS9obpgtbWYOZa1zdKMJz8VFfSun2MQ
9aK5B6icbeGTjB+ilKINv7UqLXArZw4WokAVBKRFXRpdAOjBBdGp9u0lIp2vNcru
hM6wc/lXShs7JlpQ3Rx0OMSv48u94NwwUw+otJcBg7lc5BoGlQSTqIObIUk4uuyY
abCYVpGBQN/qzGB/lULpt4ExxHEzDHC3pRimBGM6vGdThXOHKFi4VwlMf39UXaLl
rxvwtgdjnNAafVGc/H4g
=lHoz
-----END PGP SIGNATURE-----



More information about the pkg-php-maint mailing list