Hi, any web application that allows passing unsanitized data to unserialize() is doomed, so I don't really think that this requires immediate attention.
This will get fixed in a normal security cycle with next PHP release (or I'll add the patch on top of next release). Cheers, -- Ondřej Surý <ond...@sury.org> Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server Knot Resolver (https://www.knot-resolver.cz/) – secure, privacy-aware, fast DNS(SEC) resolver Vše pro chleba (https://vseprochleba.cz) – Mouky ze mlýna a potřeby pro pečení chleba všeho druhu On Wed, Jan 4, 2017, at 14:53, Henri Salo wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Package: php7.0 > Version: 7.0.14-2 > Severity: important > Tags: security, upstream, fixed-upstream > > There was found a bug showing that PHP uses uninitialized memory during > calls to > `unserialize()`. As the following report shows, the payload supplied to > `unserialize()` may control this uninitialized memory region and thus may > be > used to trick PHP into operating on faked objects and calling attacker > controlled destructor function pointers. The supplied proof of concept > exploit > practically demonstrates the issue by executing arbitrary code solely by > passing > a specially crafted string to `unserialize()`. Even though this > particular demo > exploit only works locally this flaw is very likely to also allow for > remote > code execution. > > Upstream bug report for additional details: > https://bugs.php.net/bug.php?id=73832 > Fix: https://gist.github.com/anonymous/9fbe5ccbe8e18659bec11ac963fd07a3 > > - -- > Henri Salo > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > > iQIcBAEBAgAGBQJYbP5hAAoJECet96ROqnV0rmIP/j0HpcNDEpNJTeR+JN75jC90 > quuTqH98Neibb3WZEHHHksFVbKohmDm/KVQ1E7AWe6+zZ4FfEoPOsBkhoK2Swfv0 > VTB7NVKFhlqmPwnVaB3l/6fc58mtyy6ljPcd/KIr1n3DCRbHgo13QmsgHBFSoqMs > WhJ0CB4NR87/qGqmuHabT1wkzwIB90uApbwBlDRpPTA54XWLRPoIZNlb3roh8RGD > lVb9Nb5vUZMGbrL376r6PkL+sZ6QcKemrGF3ZZqiirKcCfstYzhuftPgGLIGc0B2 > Ud3IcH5wjxd/h4s4DA9SjZwnYbOlt76e3kcZbUZ4rJF1SEUAr0hfjRcbrEEj/0Ni > 5B/z5H+miK4xAy+gyYemKELWhyrjSE5n2f5rN0SEJtTiaoF2XESLFP8HsuVzZyox > KOte7ekNIX0Ev+UvmEGeXawlqKRR+xuIYfS9obpgtbWYOZa1zdKMJz8VFfSun2MQ > 9aK5B6icbeGTjB+ilKINv7UqLXArZw4WokAVBKRFXRpdAOjBBdGp9u0lIp2vNcru > hM6wc/lXShs7JlpQ3Rx0OMSv48u94NwwUw+otJcBg7lc5BoGlQSTqIObIUk4uuyY > abCYVpGBQN/qzGB/lULpt4ExxHEzDHC3pRimBGM6vGdThXOHKFi4VwlMf39UXaLl > rxvwtgdjnNAafVGc/H4g > =lHoz > -----END PGP SIGNATURE----- > > _______________________________________________ > pkg-php-maint mailing list > pkg-php-ma...@lists.alioth.debian.org > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint