Bug 711140

Summary:	<dev-lang/php-{7.2.34-r1,7.3.15,7.4.3}: Bypass of disable_functions via use-after-free
Product:	Gentoo Security	Reporter:	Sam James <sam>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	mjo, php-bugs
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://bugs.php.net/bug.php?id=76047
Whiteboard:	B3 [glsa+]
Package list:		Runtime testing required:	---

Description Sam James archtester

2020-03-01 03:16:41 UTC

Description:
Bypass of disable_functions via UAF.

CVE: None assigned
Exploit: https://github.com/mm0r1/exploits/tree/master/php7-backtrace-bypass
Bug: https://bugs.php.net/bug.php?id=76047
Fix: https://git.php.net/?p=php-src.git;a=commit;h=ef1e4891b47949c8dc0f9482eef9454a0ecdfa1d

Affects (according to the POC creator):
>7.0 - all versions to date
>7.1 - all versions to date
>7.2 - all versions to date
>7.3 < 7.3.15 (released 20 Feb 2020)
>7.4 < 7.4.3 (released 20 Feb 2020)

Comment 1 Sam James archtester

2020-03-01 03:19:44 UTC

NOTE: I've chosen B1 because it allows an escalation of privileges (from e.g. FTP access to possibly running commands locally). A case could be made for a lower severity.

This mostly affects e.g. shared hosting providers.

Comment 2 Sam James archtester

2020-03-01 03:20:07 UTC

NOTE: I've chosen B1 because it allows an escalation of privileges (from e.g. FTP access to possibly running commands locally). A case could be made for a lower severity.

This mostly affects e.g. shared hosting providers.

Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev

2020-03-02 22:19:30 UTC

No, this is not a priv escalation vulnerability.

PHP-7.2.x still needs to be patched.

Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev

2020-03-26 13:18:01 UTC

Looks still not fixed in php-7.2.29.

Comment 5 Sam James archtester

2020-03-26 22:10:55 UTC

(In reply to Thomas Deutschmann from comment #4)
> Looks still not fixed in php-7.2.29.

Emailed the committer today. Bug is closed to comments.

We'll wait a small period and then reconsider options, but the patch is simple for the other versions, we may be able to just backport it.

Comment 6 Sam James archtester

2020-04-16 23:28:05 UTC

(In reply to Sam James (sec padawan) from comment #5)
> (In reply to Thomas Deutschmann from comment #4)
> > Looks still not fixed in php-7.2.29.
> 
> Emailed the committer today. Bug is closed to comments.
> 
> We'll wait a small period and then reconsider options, but the patch is
> simple for the other versions, we may be able to just backport it.

Nothing back.

@maintainer(s), please look at backporting the patch if possible.

Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev

2020-12-22 23:59:43 UTC

Latest PHP 7.2.34 is still affected.

Comment 8 Larry the Git Cow gentoo-dev

2020-12-23 00:39:09 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=280c5e27b96f27eed2f3325576d74361abb36294

commit 280c5e27b96f27eed2f3325576d74361abb36294
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-12-23 00:38:40 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-12-23 00:39:05 +0000

    dev-lang/php: fix use-after-free when accessing already destructed backtrace arguments
    
    Bug: https://bugs.gentoo.org/711140
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 .../files/php-7.2.34-use-after-free-bug76047.patch | 174 +++++++++++++++++++++
 .../{php-7.2.34.ebuild => php-7.2.34-r1.ebuild}    |   1 +
 2 files changed, 175 insertions(+)

Comment 9 Thomas Deutschmann (RETIRED) gentoo-dev

2020-12-23 00:40:35 UTC

New GLSA request filed.

Comment 10 GLSAMaker/CVETool Bot gentoo-dev

2020-12-23 20:21:05 UTC

This issue was resolved and addressed in
 GLSA 202012-16 at https://security.gentoo.org/glsa/202012-16
by GLSA coordinator Thomas Deutschmann (whissi).