Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 711140 - <dev-lang/php-{7.2.34-r1,7.3.15,7.4.3}: Bypass of disable_functions via use-after-free
Summary: <dev-lang/php-{7.2.34-r1,7.3.15,7.4.3}: Bypass of disable_functions via use-a...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugs.php.net/bug.php?id=76047
Whiteboard: B3 [glsa+]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-03-01 03:16 UTC by Sam James
Modified: 2020-12-23 20:21 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-03-01 03:16:41 UTC
Description:
Bypass of disable_functions via UAF.

CVE: None assigned
Exploit: https://github.com/mm0r1/exploits/tree/master/php7-backtrace-bypass
Bug: https://bugs.php.net/bug.php?id=76047
Fix: https://git.php.net/?p=php-src.git;a=commit;h=ef1e4891b47949c8dc0f9482eef9454a0ecdfa1d

Affects (according to the POC creator):
>7.0 - all versions to date
>7.1 - all versions to date
>7.2 - all versions to date
>7.3 < 7.3.15 (released 20 Feb 2020)
>7.4 < 7.4.3 (released 20 Feb 2020)
Comment 1 Sam James archtester gentoo-dev Security 2020-03-01 03:19:44 UTC
NOTE: I've chosen B1 because it allows an escalation of privileges (from e.g. FTP access to possibly running commands locally). A case could be made for a lower severity.

This mostly affects e.g. shared hosting providers.
Comment 2 Sam James archtester gentoo-dev Security 2020-03-01 03:20:07 UTC
NOTE: I've chosen B1 because it allows an escalation of privileges (from e.g. FTP access to possibly running commands locally). A case could be made for a lower severity.

This mostly affects e.g. shared hosting providers.
Comment 3 Thomas Deutschmann gentoo-dev Security 2020-03-02 22:19:30 UTC
No, this is not a priv escalation vulnerability.

PHP-7.2.x still needs to be patched.
Comment 4 Thomas Deutschmann gentoo-dev Security 2020-03-26 13:18:01 UTC
Looks still not fixed in php-7.2.29.
Comment 5 Sam James archtester gentoo-dev Security 2020-03-26 22:10:55 UTC
(In reply to Thomas Deutschmann from comment #4)
> Looks still not fixed in php-7.2.29.

Emailed the committer today. Bug is closed to comments.

We'll wait a small period and then reconsider options, but the patch is simple for the other versions, we may be able to just backport it.
Comment 6 Sam James archtester gentoo-dev Security 2020-04-16 23:28:05 UTC
(In reply to Sam James (sec padawan) from comment #5)
> (In reply to Thomas Deutschmann from comment #4)
> > Looks still not fixed in php-7.2.29.
> 
> Emailed the committer today. Bug is closed to comments.
> 
> We'll wait a small period and then reconsider options, but the patch is
> simple for the other versions, we may be able to just backport it.

Nothing back.

@maintainer(s), please look at backporting the patch if possible.
Comment 7 Thomas Deutschmann gentoo-dev Security 2020-12-22 23:59:43 UTC
Latest PHP 7.2.34 is still affected.
Comment 8 Larry the Git Cow gentoo-dev 2020-12-23 00:39:09 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=280c5e27b96f27eed2f3325576d74361abb36294

commit 280c5e27b96f27eed2f3325576d74361abb36294
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-12-23 00:38:40 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-12-23 00:39:05 +0000

    dev-lang/php: fix use-after-free when accessing already destructed backtrace arguments
    
    Bug: https://bugs.gentoo.org/711140
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 .../files/php-7.2.34-use-after-free-bug76047.patch | 174 +++++++++++++++++++++
 .../{php-7.2.34.ebuild => php-7.2.34-r1.ebuild}    |   1 +
 2 files changed, 175 insertions(+)
Comment 9 Thomas Deutschmann gentoo-dev Security 2020-12-23 00:40:35 UTC
New GLSA request filed.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2020-12-23 20:21:05 UTC
This issue was resolved and addressed in
 GLSA 202012-16 at https://security.gentoo.org/glsa/202012-16
by GLSA coordinator Thomas Deutschmann (whissi).