CVE-2014-3515: unserialize() SPL ArrayObject / SPLObjectStorage Type Confusion

[GoogleCodeExporter]

Unserialize() contains a nasty remote code execution flaw.  This is exposed to 
a great deal of user data and so is a pretty nasty one.

PHP 5.4 bug: https://bugs.php.net/bug.php?id=67492
PHP 5.4 patch: 
http://git.php.net/?p=php-src.git;a=commit;h=a374dfab567ff7f0ab0dc150f14cc891b03
40b47

This patch does not apply to PHP 5.2.17, as there is no unserialize function in 
spl_array.c.   But grepping found the same code with the same problem in 
ext/spl_observer.c, function SPL_METHOD(SplObjectStorage, unserialize), line 
401:

    ALLOC_INIT_ZVAL(pmembers);                                                                                                                       
    if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC)) {                                                                     
        zval_ptr_dtor(&pmembers);                                                                                                                    
        goto outexcept;                                                                                                                              
    }   

As the code appears identical to that in the PHP 5.4 patch, I would expect the 
same thing to work.  I'm preparing a patch now for testing and will attach it 
here when it's ready. 

Original issue reported on code.google.com by dam...@affinitybridge.com on 8 Jul 2014 at 10:03

[GoogleCodeExporter]

Correction - the PHP 5.2 function affected is ext/spl/spl_observer.c.  Attached 
is a patch containing the fix.

Original comment by dam...@affinitybridge.com on 8 Jul 2014 at 10:12

Attachments:

• php52-CVE-2014-3515.patch

[GoogleCodeExporter]

I can vouch for this patch.

By looking at the code here: 
http://lxr.php.net/xref/PHP_5_2/ext/spl/spl_observer.c
It seems to be the correct fix to this problem.

Thank you for providing it.

Original comment by NewEraCr...@gmail.com on 30 Jul 2014 at 5:27