[php-maint] Bug#850158: Bug#850158: Use of uninitialized memory in unserialize()

Ondřej Surý ondrej at sury.org
Wed Jan 4 14:24:22 UTC 2017 

Hi,

any web application that allows passing unsanitized data to
unserialize() is doomed, so I don't really think that this requires
immediate attention.

This will get fixed in a normal security cycle with next PHP release (or
I'll add the patch on top of next release).

Cheers,
-- 
Ondřej Surý <ondrej at sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
Knot Resolver (https://www.knot-resolver.cz/) – secure, privacy-aware,
fast DNS(SEC) resolver
Vše pro chleba (https://vseprochleba.cz) – Mouky ze mlýna a potřeby pro
pečení chleba všeho druhu

On Wed, Jan 4, 2017, at 14:53, Henri Salo wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Package: php7.0
> Version: 7.0.14-2
> Severity: important
> Tags: security, upstream, fixed-upstream
> 
> There was found a bug showing that PHP uses uninitialized memory during
> calls to
> `unserialize()`. As the following report shows, the payload supplied to
> `unserialize()` may control this uninitialized memory region and thus may
> be
> used to trick PHP into operating on faked objects and calling attacker
> controlled destructor function pointers. The supplied proof of concept
> exploit
> practically demonstrates the issue by executing arbitrary code solely by
> passing
> a specially crafted string to `unserialize()`. Even though this
> particular demo
> exploit only works locally this flaw is very likely to also allow for
> remote
> code execution.
> 
> Upstream bug report for additional details:
> https://bugs.php.net/bug.php?id=73832
> Fix: https://gist.github.com/anonymous/9fbe5ccbe8e18659bec11ac963fd07a3
> 
> - -- 
> Henri Salo
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> 
> iQIcBAEBAgAGBQJYbP5hAAoJECet96ROqnV0rmIP/j0HpcNDEpNJTeR+JN75jC90
> quuTqH98Neibb3WZEHHHksFVbKohmDm/KVQ1E7AWe6+zZ4FfEoPOsBkhoK2Swfv0
> VTB7NVKFhlqmPwnVaB3l/6fc58mtyy6ljPcd/KIr1n3DCRbHgo13QmsgHBFSoqMs
> WhJ0CB4NR87/qGqmuHabT1wkzwIB90uApbwBlDRpPTA54XWLRPoIZNlb3roh8RGD
> lVb9Nb5vUZMGbrL376r6PkL+sZ6QcKemrGF3ZZqiirKcCfstYzhuftPgGLIGc0B2
> Ud3IcH5wjxd/h4s4DA9SjZwnYbOlt76e3kcZbUZ4rJF1SEUAr0hfjRcbrEEj/0Ni
> 5B/z5H+miK4xAy+gyYemKELWhyrjSE5n2f5rN0SEJtTiaoF2XESLFP8HsuVzZyox
> KOte7ekNIX0Ev+UvmEGeXawlqKRR+xuIYfS9obpgtbWYOZa1zdKMJz8VFfSun2MQ
> 9aK5B6icbeGTjB+ilKINv7UqLXArZw4WokAVBKRFXRpdAOjBBdGp9u0lIp2vNcru
> hM6wc/lXShs7JlpQ3Rx0OMSv48u94NwwUw+otJcBg7lc5BoGlQSTqIObIUk4uuyY
> abCYVpGBQN/qzGB/lULpt4ExxHEzDHC3pRimBGM6vGdThXOHKFi4VwlMf39UXaLl
> rxvwtgdjnNAafVGc/H4g
> =lHoz
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> pkg-php-maint mailing list
> pkg-php-maint at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint

More information about the pkg-php-maint mailing list