The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of PHP: double free of SplObjectStorage

Synthesis of the vulnerability 

When a PHP application unserializes malicious SplObjectStorage data, a double memory free occurs, and can lead to code execution.
Vulnerable systems: Debian, Fedora, Mandriva Linux, openSUSE, PHP, Slackware, SLES.
Severity of this threat: 2/4.
Creation date: 25/06/2010.
Références of this weakness: 605641, BID-40948, CERTA-2002-AVI-279, CVE-2010-2225, DSA-2089-1, FEDORA-2010-11428, FEDORA-2010-11481, MDVSA-2010:139, MDVSA-2010:140, MOPS-2010-061, openSUSE-SU-2010:0599-1, openSUSE-SU-2010:0678-1, SSA:2010-240-04, SUSE-SR:2010:017, SUSE-SR:2010:018, VIGILANCE-VUL-9728.

Description of the vulnerability 

The SplObjectStorage class stores objects.

The SplObjectStorage::serialize() method converts an object to a string. The SplObjectStorage::unserialize() method performs the reverse operation.

However, SplObjectStorage::unserialize() can free a memory area which is already freed, so it corrupts the memory.

When a PHP application unserializes malicious SplObjectStorage data, a double memory free thus occurs, and can lead to code execution.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This vulnerability bulletin impacts software or systems such as Debian, Fedora, Mandriva Linux, openSUSE, PHP, Slackware, SLES.

Our Vigil@nce team determined that the severity of this security note is medium.

The trust level is of type confirmed by the editor, with an origin of document.

An attacker with a expert ability can exploit this cybersecurity note.

Solutions for this threat 

PHP: version 5.3.3.
Version 5.3.3 is corrected:
  http://www.php.net/

PHP: version 5.2.14.
Version 5.2.14 is corrected:
  http://www.php.net/

Debian: new php5 packages.
New packages are available:
  http://security.debian.org/pool/updates/main/p/php5/php5-*_5.2.6.dfsg.1-1+lenny9_*.deb

Fedora 13: new maniadrive packages.
New packages are available:
  maniadrive-1.2-22.fc13

Fedora: new php-eaccelerator packages.
New packages are available:
  php-eaccelerator-0.9.6.1-2.fc13
  php-eaccelerator-0.9.6.1-2.fc12

Fedora: new php packages.
New packages are available:
  php-5.3.3-1.fc12
  php-5.3.3-1.fc13

Mandriva 2010: new php packages.
New packages are available:
  Mandriva Linux 2010.0: php-5.3.3-0.1mdv2010.0
  Mandriva Linux 2010.1: php-5.3.3-0.1mdv2010.1

Mandriva: new php packages (27/07/2010).
New packages are available:
  Mandriva Linux 2008.0: php-5.2.14-0.1mdv2008.0
  Mandriva Linux 2009.0: php-5.2.14-0.1mdv2009.0
  Mandriva Linux 2009.1: php-5.2.14-0.1mdv2009.1
  Corporate 4.0: php-5.2.14-0.1.20060mlcs4
  Mandriva Enterprise Server 5: php-5.2.14-0.1mdvmes5.1

openSUSE: new php5 packages.
New packages are available:
  openSUSE 11.1: php5-5.2.14-0.1.1
  openSUSE 11.2: php5-5.3.3-0.1.1
  openSUSE 11.3: php5-5.3.3-0.1.2

Slackware: new php packages.
New packages are available:
  ftp://ftp.slackware.com/pub/slackware/slackware-11.0/extra/php5/php-5.2.14-i486-1_slack11.0.tgz
  ftp://ftp.slackware.com/pub/slackware/slackware-12.0/patches/packages/php-5.2.14-i486-1_slack12.0.tgz
  ftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/php-5.2.14-i486-1_slack12.1.tgz
  ftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/php-5.2.14-i486-1_slack12.2.tgz
  ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/php-5.2.14-i486-1_slack13.0.txz
  ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/php-5.2.14-x86_64-1_slack13.0.txz
  ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/php-5.2.14-i486-1_slack13.1.txz
  ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/php-5.2.14-x86_64-1_slack13.1.txz

SUSE: new packages (07/10/2010).
New packages are available, as indicated in information sources.

SUSE: new packages (21/09/2010).
New packages are available, as indicated in information sources.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a computers vulnerabilities watch. The technology watch team tracks security threats targeting the computer system.