CNVD-2015-05699

Vulnerability from cnvd - Published: 2015-08-27
VLAI Severity ?
Title
PHP 7 ZEND_HASH_IF_FULL_DO_RESIZE内存错误引用漏洞
Description
PHP(外文名: Hypertext Preprocessor,中文名:“超文本预处理器”)是一种通用开源脚本语言。 PHP 7 ZEND_HASH_IF_FULL_DO_RESIZE存在内错错误引用漏洞。当反序列化字符串时,如果HashTable哈希表中使用的元素个数超过哈希表本身的容量,就会重新申请一块更大的内存放置元素,并释放掉之前使用过的内存,然而这时R或r引用引用了释放掉的内存,造成Use After Free漏洞。
Severity
Formal description

目前没有详细解决方案提供: http://www.php.net/

Reference
http://blog.knownsec.com/2015/08/php-7-zend_hash_if_full_do_resize-use-after-free-analysis/ https://bugs.php.net/bug.php?id=70211
Impacted products
Name
['PHP Php 7.0.0alpha1', 'PHP Php 7.0.0alpha2', 'PHP Php 7.0.0beta1', 'PHP Php php-7.0.0beta2']
Show details on source website
To clipboard 

{
  "description": "PHP\uff08\u5916\u6587\u540d: Hypertext Preprocessor\uff0c\u4e2d\u6587\u540d\uff1a\u201c\u8d85\u6587\u672c\u9884\u5904\u7406\u5668\u201d\uff09\u662f\u4e00\u79cd\u901a\u7528\u5f00\u6e90\u811a\u672c\u8bed\u8a00\u3002\r\n\r\nPHP 7 ZEND_HASH_IF_FULL_DO_RESIZE\u5b58\u5728\u5185\u9519\u9519\u8bef\u5f15\u7528\u6f0f\u6d1e\u3002\u5f53\u53cd\u5e8f\u5217\u5316\u5b57\u7b26\u4e32\u65f6\uff0c\u5982\u679cHashTable\u54c8\u5e0c\u8868\u4e2d\u4f7f\u7528\u7684\u5143\u7d20\u4e2a\u6570\u8d85\u8fc7\u54c8\u5e0c\u8868\u672c\u8eab\u7684\u5bb9\u91cf\uff0c\u5c31\u4f1a\u91cd\u65b0\u7533\u8bf7\u4e00\u5757\u66f4\u5927\u7684\u5185\u5b58\u653e\u7f6e\u5143\u7d20\uff0c\u5e76\u91ca\u653e\u6389\u4e4b\u524d\u4f7f\u7528\u8fc7\u7684\u5185\u5b58\uff0c\u7136\u800c\u8fd9\u65f6R\u6216r\u5f15\u7528\u5f15\u7528\u4e86\u91ca\u653e\u6389\u7684\u5185\u5b58\uff0c\u9020\u6210Use After Free\u6f0f\u6d1e\u3002",
  "discovererName": "niubl",
  "formalWay": "\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u89e3\u51b3\u65b9\u6848\u63d0\u4f9b\uff1a\r\nhttp://www.php.net/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2015-05699",
  "openTime": "2015-08-27",
  "products": {
    "product": [
      "PHP Php 7.0.0alpha1",
      "PHP Php 7.0.0alpha2",
      "PHP Php  7.0.0beta1",
      "PHP Php  php-7.0.0beta2"
    ]
  },
  "referenceLink": "http://blog.knownsec.com/2015/08/php-7-zend_hash_if_full_do_resize-use-after-free-analysis/\r\nhttps://bugs.php.net/bug.php?id=70211",
  "serverity": "\u9ad8",
  "submitTime": "2015-08-19",
  "title": "PHP 7 ZEND_HASH_IF_FULL_DO_RESIZE\u5185\u5b58\u9519\u8bef\u5f15\u7528\u6f0f\u6d1e"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.