K17377 : PHP vulnerabilities CVE-2015-6834, CVE-2015-6835, CVE-2015-6836, CVE-2015-6837, and CVE-2015-6838

Security Advisory Description

• CVE-2015-6834

Use after free vulnerability was found in unserialize() function. We can create ZVAL and free it via Serializable::unserialize. However the unserialize() will still allow to use R: or r: to set references to that already freed memory. It is possible to use-after-free attack and execute arbitrary code remotely.

• CVE-2015-6835

A use-after-free vulnerability was found in session deserializer. When session deserializer (php/php_binary) is deserializing multiple data, it will call php_var_unserialize() multiple times. We can create ZVAL and free it via the php_var_unserialize() with a crafted serialized string. Then the next call php_var_unserialize() will still allow to use R: or r: to set references to that already freed memory. It is possible to use-after-free attack and execute arbitrary code remotely.

• CVE-2015-6836

A type confusion occurs within SOAP serialize_function_call due to an insufficient validation of the headers field. In the SoapClient’s __call method, the verify_soap_headers_array check is applied only to headers retrieved from zend_parse_parameters; problem is that a few lines later, soap_headers could be updated or even replaced with values from the default_headers object fields.

• CVE-2015-6837 and CVE-2015-6838

The XSLTProcessor class misses a few checks on the input from the libxslt library. The valuePop() function call is able to return NULL pointer and php does not check that.
Impact
An attacker may require administrative privileges or exploitation of another vulnerability to gain the ability to create or upload and cause the vulnerable functions to run. When the vulnerability is exploited, the attacker may be able to run arbitrary code remotely.