[PATCH][meta-oe] php: NULL pointer dereference in phar_get_fp_offset()

[PATCH][meta-oe] php: NULL pointer dereference in phar_get_fp_offset()

[Jian Liu]

CVE-2015-7803:
The phar_get_entry_data function in ext/phar/util.c in PHP
before 5.5.30 and 5.6.x before 5.6.14 allows remote attackers
to cause a denial of service (NULL pointer dereference and
application crash) via a .phar file with a crafted TAR archive
entry in which the Link indicator references a file that does
not exist.

This patch is from
http://git.php.net/?p=php-src.git;a=commitdiff;\
h=d698f0ae51f67c9cce870b09c59df3d6ba959244;hp=bb98ed600ab6787d9d367927d49439be9a83441e

Signed-off-by: Jian Liu <jian.liu@windriver.com>
---
 .../php/php-5.6.12/php-CVE-2015-7803.patch         | 72 ++++++++++++++++++++++
 meta-oe/recipes-devtools/php/php.inc               |  1 +
 2 files changed, 73 insertions(+)
 create mode 100644 meta-oe/recipes-devtools/php/php-5.6.12/php-CVE-2015-7803.patch

diff --git a/meta-oe/recipes-devtools/php/php-5.6.12/php-CVE-2015-7803.patch b/meta-oe/recipes-devtools/php/php-5.6.12/php-CVE-2015-7803.patch
new file mode 100644
index 0000000..77ff44f
--- /dev/null
+++ b/meta-oe/recipes-devtools/php/php-5.6.12/php-CVE-2015-7803.patch
@@ -0,0 +1,72 @@
+Fix bug #69720: Null pointer dereference in phar_get_fp_offset()
+
+The phar_get_entry_data function in ext/phar/util.c in PHP 
+before 5.5.30 and 5.6.x before 5.6.14 allows remote attackers 
+to cause a denial of service (NULL pointer dereference and 
+application crash) via a .phar file with a crafted TAR archive 
+entry in which the Link indicator references a file that does 
+not exist.
+
+Written-by: Stanislav Malyshev <stas@php.net>
+
+Binary files php-5.6.12.orig/ext/phar/tests/bug69720.phar and php-5.6.12/ext/phar/tests/bug69720.phar differ
+diff -Nur php-5.6.12.orig/ext/phar/tests/bug69720.phpt php-5.6.12/ext/phar/tests/bug69720.phpt
+--- php-5.6.12.orig/ext/phar/tests/bug69720.phpt	1970-01-01 08:00:00.000000000 +0800
++++ php-5.6.12/ext/phar/tests/bug69720.phpt	2015-12-16 17:15:56.703415339 +0800
+@@ -0,0 +1,40 @@
++--TEST--
++Phar - bug #69720 - Null pointer dereference in phar_get_fp_offset()
++--SKIPIF--
++<?php if (!extension_loaded("phar")) die("skip"); ?>
++--FILE--
++<?php
++try {
++    // open an existing phar
++    $p = new Phar(__DIR__."/bug69720.phar",0);
++    // Phar extends SPL's DirectoryIterator class
++	echo $p->getMetadata();
++    foreach (new RecursiveIteratorIterator($p) as $file) {
++        // $file is a PharFileInfo class, and inherits from SplFileInfo
++	$temp="";
++        $temp= $file->getFileName() . "\n";
++        $temp.=file_get_contents($file->getPathName()) . "\n"; // display contents
++	var_dump($file->getMetadata());
++    }
++}
++ catch (Exception $e) {
++    echo 'Could not open Phar: ', $e;
++}
++?>
++--EXPECTF--
++
++MY_METADATA_NULL
++
++Warning: file_get_contents(phar:///%s): failed to open stream: phar error: "test.php" is not a file in phar "%s.phar" in %s.php on line %d
++array(1) {
++  ["whatever"]=>
++  int(123)
++}
++object(DateTime)#2 (3) {
++  ["date"]=>
++  string(26) "2000-01-01 00:00:00.000000"
++  ["timezone_type"]=>
++  int(3)
++  ["timezone"]=>
++  string(3) "UTC"
++}
+diff -Nur php-5.6.12.orig/ext/phar/util.c php-5.6.12/ext/phar/util.c
+--- php-5.6.12.orig/ext/phar/util.c	2015-12-16 17:06:04.011411206 +0800
++++ php-5.6.12/ext/phar/util.c	2015-12-16 17:18:08.683416259 +0800
+@@ -494,7 +494,11 @@
+ 	(*ret)->is_tar = entry->is_tar;
+ 	(*ret)->fp = phar_get_efp(entry, 1 TSRMLS_CC);
+ 	if (entry->link) {
+-		(*ret)->zero = phar_get_fp_offset(phar_get_link_source(entry TSRMLS_CC) TSRMLS_CC);
++		phar_entry_info *link = phar_get_link_source(entry TSRMLS_CC);
++		if(!link) {
++			return FAILURE;
++		}
++		(*ret)->zero = phar_get_fp_offset(link TSRMLS_CC);
+ 	} else {
+ 		(*ret)->zero = phar_get_fp_offset(entry TSRMLS_CC);
+ 	}
diff --git a/meta-oe/recipes-devtools/php/php.inc b/meta-oe/recipes-devtools/php/php.inc
index 67d2362..4aa9c3f 100644
--- a/meta-oe/recipes-devtools/php/php.inc
+++ b/meta-oe/recipes-devtools/php/php.inc
@@ -14,6 +14,7 @@ SRC_URI = "http://php.net/distributions/php-${PV}.tar.bz2 \
            file://acinclude-xml2-config.patch \
            file://0001-php-don-t-use-broken-wrapper-for-mkdir.patch \
            file://0001-acinclude-use-pkgconfig-for-libxml2-config.patch \
+           file://php-CVE-2015-7803.patch \
           "
 
 SRC_URI_append_class-target += " \
-- 
1.9.1

Re: [PATCH][meta-oe] php: NULL pointer dereference in phar_get_fp_offset()

[Martin Jansa]

[-- Attachment #1: Type: text/plain, Size: 5127 bytes --]

On Thu, Dec 17, 2015 at 11:18:20AM +0800, Jian Liu wrote:
> CVE-2015-7803:
> The phar_get_entry_data function in ext/phar/util.c in PHP
> before 5.5.30 and 5.6.x before 5.6.14 allows remote attackers
> to cause a denial of service (NULL pointer dereference and
> application crash) via a .phar file with a crafted TAR archive
> entry in which the Link indicator references a file that does
> not exist.

Upgrade to 5.6.16 was already merged in master, I've dropped this change
from master-next now.

Maybe you wanted to get it merged in jethro branch?

> 
> This patch is from
> http://git.php.net/?p=php-src.git;a=commitdiff;\
> h=d698f0ae51f67c9cce870b09c59df3d6ba959244;hp=bb98ed600ab6787d9d367927d49439be9a83441e
> 
> Signed-off-by: Jian Liu <jian.liu@windriver.com>
> ---
>  .../php/php-5.6.12/php-CVE-2015-7803.patch         | 72 ++++++++++++++++++++++
>  meta-oe/recipes-devtools/php/php.inc               |  1 +
>  2 files changed, 73 insertions(+)
>  create mode 100644 meta-oe/recipes-devtools/php/php-5.6.12/php-CVE-2015-7803.patch
> 
> diff --git a/meta-oe/recipes-devtools/php/php-5.6.12/php-CVE-2015-7803.patch b/meta-oe/recipes-devtools/php/php-5.6.12/php-CVE-2015-7803.patch
> new file mode 100644
> index 0000000..77ff44f
> --- /dev/null
> +++ b/meta-oe/recipes-devtools/php/php-5.6.12/php-CVE-2015-7803.patch
> @@ -0,0 +1,72 @@
> +Fix bug #69720: Null pointer dereference in phar_get_fp_offset()
> +
> +The phar_get_entry_data function in ext/phar/util.c in PHP 
> +before 5.5.30 and 5.6.x before 5.6.14 allows remote attackers 
> +to cause a denial of service (NULL pointer dereference and 
> +application crash) via a .phar file with a crafted TAR archive 
> +entry in which the Link indicator references a file that does 
> +not exist.
> +
> +Written-by: Stanislav Malyshev <stas@php.net>
> +
> +Binary files php-5.6.12.orig/ext/phar/tests/bug69720.phar and php-5.6.12/ext/phar/tests/bug69720.phar differ
> +diff -Nur php-5.6.12.orig/ext/phar/tests/bug69720.phpt php-5.6.12/ext/phar/tests/bug69720.phpt
> +--- php-5.6.12.orig/ext/phar/tests/bug69720.phpt	1970-01-01 08:00:00.000000000 +0800
> ++++ php-5.6.12/ext/phar/tests/bug69720.phpt	2015-12-16 17:15:56.703415339 +0800
> +@@ -0,0 +1,40 @@
> ++--TEST--
> ++Phar - bug #69720 - Null pointer dereference in phar_get_fp_offset()
> ++--SKIPIF--
> ++<?php if (!extension_loaded("phar")) die("skip"); ?>
> ++--FILE--
> ++<?php
> ++try {
> ++    // open an existing phar
> ++    $p = new Phar(__DIR__."/bug69720.phar",0);
> ++    // Phar extends SPL's DirectoryIterator class
> ++	echo $p->getMetadata();
> ++    foreach (new RecursiveIteratorIterator($p) as $file) {
> ++        // $file is a PharFileInfo class, and inherits from SplFileInfo
> ++	$temp="";
> ++        $temp= $file->getFileName() . "\n";
> ++        $temp.=file_get_contents($file->getPathName()) . "\n"; // display contents
> ++	var_dump($file->getMetadata());
> ++    }
> ++}
> ++ catch (Exception $e) {
> ++    echo 'Could not open Phar: ', $e;
> ++}
> ++?>
> ++--EXPECTF--
> ++
> ++MY_METADATA_NULL
> ++
> ++Warning: file_get_contents(phar:///%s): failed to open stream: phar error: "test.php" is not a file in phar "%s.phar" in %s.php on line %d
> ++array(1) {
> ++  ["whatever"]=>
> ++  int(123)
> ++}
> ++object(DateTime)#2 (3) {
> ++  ["date"]=>
> ++  string(26) "2000-01-01 00:00:00.000000"
> ++  ["timezone_type"]=>
> ++  int(3)
> ++  ["timezone"]=>
> ++  string(3) "UTC"
> ++}
> +diff -Nur php-5.6.12.orig/ext/phar/util.c php-5.6.12/ext/phar/util.c
> +--- php-5.6.12.orig/ext/phar/util.c	2015-12-16 17:06:04.011411206 +0800
> ++++ php-5.6.12/ext/phar/util.c	2015-12-16 17:18:08.683416259 +0800
> +@@ -494,7 +494,11 @@
> + 	(*ret)->is_tar = entry->is_tar;
> + 	(*ret)->fp = phar_get_efp(entry, 1 TSRMLS_CC);
> + 	if (entry->link) {
> +-		(*ret)->zero = phar_get_fp_offset(phar_get_link_source(entry TSRMLS_CC) TSRMLS_CC);
> ++		phar_entry_info *link = phar_get_link_source(entry TSRMLS_CC);
> ++		if(!link) {
> ++			return FAILURE;
> ++		}
> ++		(*ret)->zero = phar_get_fp_offset(link TSRMLS_CC);
> + 	} else {
> + 		(*ret)->zero = phar_get_fp_offset(entry TSRMLS_CC);
> + 	}
> diff --git a/meta-oe/recipes-devtools/php/php.inc b/meta-oe/recipes-devtools/php/php.inc
> index 67d2362..4aa9c3f 100644
> --- a/meta-oe/recipes-devtools/php/php.inc
> +++ b/meta-oe/recipes-devtools/php/php.inc
> @@ -14,6 +14,7 @@ SRC_URI = "http://php.net/distributions/php-${PV}.tar.bz2 \
>             file://acinclude-xml2-config.patch \
>             file://0001-php-don-t-use-broken-wrapper-for-mkdir.patch \
>             file://0001-acinclude-use-pkgconfig-for-libxml2-config.patch \
> +           file://php-CVE-2015-7803.patch \
>            "
>  
>  SRC_URI_append_class-target += " \
> -- 
> 1.9.1
> 
> -- 
> _______________________________________________
> Openembedded-devel mailing list
> Openembedded-devel@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-devel

-- 
Martin 'JaMa' Jansa     jabber: Martin.Jansa@gmail.com

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 188 bytes --]