Description: Bypass of disable_functions via UAF. CVE: None assigned Exploit: https://github.com/mm0r1/exploits/tree/master/php7-backtrace-bypass Bug: https://bugs.php.net/bug.php?id=76047 Fix: https://git.php.net/?p=php-src.git;a=commit;h=ef1e4891b47949c8dc0f9482eef9454a0ecdfa1d Affects (according to the POC creator): >7.0 - all versions to date >7.1 - all versions to date >7.2 - all versions to date >7.3 < 7.3.15 (released 20 Feb 2020) >7.4 < 7.4.3 (released 20 Feb 2020)
NOTE: I've chosen B1 because it allows an escalation of privileges (from e.g. FTP access to possibly running commands locally). A case could be made for a lower severity. This mostly affects e.g. shared hosting providers.
No, this is not a priv escalation vulnerability. PHP-7.2.x still needs to be patched.
Looks still not fixed in php-7.2.29.
(In reply to Thomas Deutschmann from comment #4) > Looks still not fixed in php-7.2.29. Emailed the committer today. Bug is closed to comments. We'll wait a small period and then reconsider options, but the patch is simple for the other versions, we may be able to just backport it.
(In reply to Sam James (sec padawan) from comment #5) > (In reply to Thomas Deutschmann from comment #4) > > Looks still not fixed in php-7.2.29. > > Emailed the committer today. Bug is closed to comments. > > We'll wait a small period and then reconsider options, but the patch is > simple for the other versions, we may be able to just backport it. Nothing back. @maintainer(s), please look at backporting the patch if possible.
Latest PHP 7.2.34 is still affected.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=280c5e27b96f27eed2f3325576d74361abb36294 commit 280c5e27b96f27eed2f3325576d74361abb36294 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-12-23 00:38:40 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-12-23 00:39:05 +0000 dev-lang/php: fix use-after-free when accessing already destructed backtrace arguments Bug: https://bugs.gentoo.org/711140 Package-Manager: Portage-3.0.12, Repoman-3.0.2 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> .../files/php-7.2.34-use-after-free-bug76047.patch | 174 +++++++++++++++++++++ .../{php-7.2.34.ebuild => php-7.2.34-r1.ebuild} | 1 + 2 files changed, 175 insertions(+)
New GLSA request filed.
This issue was resolved and addressed in GLSA 202012-16 at https://security.gentoo.org/glsa/202012-16 by GLSA coordinator Thomas Deutschmann (whissi).
