php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #61065 Secunia SA44335 - arbitrary code execution
Submitted: 2012-02-12 21:43 UTC Modified: 2014-06-19 16:31 UTC
From: ty at sarna dot org Assigned: stas (profile)
Status: Closed Package: PHAR related
PHP Version: 5.3.10 OS: All
Private report: No CVE-ID: 2012-2386
View Developer Edit
 [2012-02-12 21:43 UTC] ty at sarna dot org 
Description:
------------
I see no evidence that php.net is aware of this issue, but it seems known 
elsewhere (NetBSD pkgsrc reports 5.3.10 as vulnerable due to this bug, and 
refuses to install without an override)


See:


http://secunia.com/advisories/44335
http://0x1byte.blogspot.com/2011/04/php-phar-extension-heap-overflow.html


"The vulnerability is caused due to an integer overflow error within the phar 
extension in the "phar_parse_tarfile()" function (ext/phar/tar.c) and can be 
exploited to cause a heap-based buffer overflow via a specially crafted TAR 
file.

Successful exploitation may allow execution of arbitrary code.

The vulnerability is reported in version 5.3.6. Other versions may also be 
affected."

Patches

phar.diff (last revision 2012-05-13 02:20 UTC by [email protected])

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-05-13 02:20 UTC] [email protected] 
The following patch has been added/updated:

Patch Name: phar.diff
Revision:   1336875629
URL:        https://bugs.php.net/patch-display.php?bug=61065&patch=phar.diff&revision=1336875629
 [2012-05-13 14:24 UTC] [email protected] 
Patch looks good too and builds fine. Maybe add a comment to say that filename_len 
and uncompressed_filesize are uint32 as it may not be obvious (< 0 or >= checks 
instead :).
 [2012-05-13 16:05 UTC] [email protected] 
We also need a CVE for that one, anyone can request one please?
 [2012-05-20 18:09 UTC] [email protected] 
CVE id has been requested.
 [2012-05-22 17:51 UTC] [email protected]
-CVE-ID: +CVE-ID: 2012-2386
 [2012-05-30 07:29 UTC] [email protected] 
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.
 [2012-05-30 07:29 UTC] [email protected]
-Status: Open +Status: Closed -Assigned To: +Assigned To: stas
 [2012-06-14 21:53 UTC] [email protected] 
Is there a particular reason why the CVE name wasn't mentioned in the changelog?
 [2012-06-14 23:43 UTC] [email protected] 
I've added it to the changelog. (in some minutes it'll appears in the site)

Thanks.
 [2012-07-04 22:23 UTC] [email protected] 
Why did we not simply use safe_pemalloc() here?
 [2014-10-07 23:25 UTC] [email protected] 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=4eb802bb14b05b82573457bc0f528e61ca7ddc45
Log: fix bug #61065 (cherry picked from commit a10e778bfb7ce9caa1f91666ddf2705db7982d68)
 [2014-10-07 23:25 UTC] [email protected] 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=a10e778bfb7ce9caa1f91666ddf2705db7982d68
Log: fix bug #61065
 [2014-10-07 23:36 UTC] [email protected] 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=4eb802bb14b05b82573457bc0f528e61ca7ddc45
Log: fix bug #61065 (cherry picked from commit a10e778bfb7ce9caa1f91666ddf2705db7982d68)
 [2014-10-07 23:36 UTC] [email protected] 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=a10e778bfb7ce9caa1f91666ddf2705db7982d68
Log: fix bug #61065
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Wed Dec 31 03:00:01 2025 UTC