-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Package: php7.0 Version: 7.0.14-2 Severity: important Tags: security, upstream, fixed-upstream
There was found a bug showing that PHP uses uninitialized memory during calls to `unserialize()`. As the following report shows, the payload supplied to `unserialize()` may control this uninitialized memory region and thus may be used to trick PHP into operating on faked objects and calling attacker controlled destructor function pointers. The supplied proof of concept exploit practically demonstrates the issue by executing arbitrary code solely by passing a specially crafted string to `unserialize()`. Even though this particular demo exploit only works locally this flaw is very likely to also allow for remote code execution. Upstream bug report for additional details: https://bugs.php.net/bug.php?id=73832 Fix: https://gist.github.com/anonymous/9fbe5ccbe8e18659bec11ac963fd07a3 - -- Henri Salo -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJYbP5hAAoJECet96ROqnV0rmIP/j0HpcNDEpNJTeR+JN75jC90 quuTqH98Neibb3WZEHHHksFVbKohmDm/KVQ1E7AWe6+zZ4FfEoPOsBkhoK2Swfv0 VTB7NVKFhlqmPwnVaB3l/6fc58mtyy6ljPcd/KIr1n3DCRbHgo13QmsgHBFSoqMs WhJ0CB4NR87/qGqmuHabT1wkzwIB90uApbwBlDRpPTA54XWLRPoIZNlb3roh8RGD lVb9Nb5vUZMGbrL376r6PkL+sZ6QcKemrGF3ZZqiirKcCfstYzhuftPgGLIGc0B2 Ud3IcH5wjxd/h4s4DA9SjZwnYbOlt76e3kcZbUZ4rJF1SEUAr0hfjRcbrEEj/0Ni 5B/z5H+miK4xAy+gyYemKELWhyrjSE5n2f5rN0SEJtTiaoF2XESLFP8HsuVzZyox KOte7ekNIX0Ev+UvmEGeXawlqKRR+xuIYfS9obpgtbWYOZa1zdKMJz8VFfSun2MQ 9aK5B6icbeGTjB+ilKINv7UqLXArZw4WokAVBKRFXRpdAOjBBdGp9u0lIp2vNcru hM6wc/lXShs7JlpQ3Rx0OMSv48u94NwwUw+otJcBg7lc5BoGlQSTqIObIUk4uuyY abCYVpGBQN/qzGB/lULpt4ExxHEzDHC3pRimBGM6vGdThXOHKFi4VwlMf39UXaLl rxvwtgdjnNAafVGc/H4g =lHoz -----END PGP SIGNATURE-----