Headline
CVE-2016-10160: Fix bug #73768 - Memory corruption when loading hostile phar · php/php-src@b28b8b2
Off-by-one error in the phar_parse_pharfile function in ext/phar/phar.c in PHP before 5.6.30 and 7.0.x before 7.0.15 allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted PHAR archive with an alias mismatch.
@@ -981,15 +981,14 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char /* if the alias is stored we enforce it (implicit overrides explicit) */ if (alias && alias_len && (alias_len != (int)tmp_len || strncmp(alias, buffer, tmp_len))) { buffer[tmp_len] = '\0’; php_stream_close(fp);
if (signature) { efree(signature); }
if (error) { spprintf(error, 0, “cannot load phar \"%s\” with implicit alias \"%s\" under different alias \"%s\"", fname, buffer, alias); spprintf(error, 0, “cannot load phar \"%s\” with implicit alias \"%.*s\" under different alias \"%s\"", fname, tmp_len, buffer, alias); }
efree(savebuf);
Related news
spl_array.c in the SPL extension in PHP before 5.5.37 and 5.6.x before 5.6.23 improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) via crafted serialized data.
The phar_make_dirstream function in ext/phar/dirstream.c in PHP before 5.6.18 and 7.x before 7.0.3 mishandles zero-size ././@LongLink files, which allows remote attackers to cause a denial of service (uninitialized pointer dereference) or possibly have unspecified other impact via a crafted TAR archive.
The cdf_check_stream_offset function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, relies on incorrect sector-size data, which allows remote attackers to cause a denial of service (application crash) via a crafted stream offset in a CDF file.