CVE-2020-7068

CVE-2020-7068 php: Use of freed hash key in the phar_parse_zipfile function

Publication Date 2020-08-06
Severity Low
Type Information Disclosure
Affected PHP Versions
  • 5.6.0 - 5.6.40
  • 7.0.0 - 7.0.33
  • 7.1.0 - 7.1.33
  • 7.2.0 - 7.2.32
  • 7.3.0 - 7.3.20
  • 7.4.0 - 7.4.8
Fixed Product Versions
  • ZendPHP 5.6
  • ZendPHP 7.1
  • ZendPHP 7.2
  • ZendPHP 7.3
  • ZendPHP 7.4
  • ZendServer 2019.0.5

CVE Details

The PHAR extension to PHP has a setting, phar.cache_list, that allows providing a map of PHAR archives to pre-parse at runtime startup, which provides a performance boost when running files out of these archives. However, in PHP versions 7.2.x below 7.2.33, 7.3.x below 7.3.21, and 7.4.x below 7.4.9, a specially crafted PHAR file in that list that uses zip compression could exploit a PHAR parsing issue to access sensitive freed memory data.

Recommendations

Upgrade to PHP 7.2.33 or later, PHP 7.3.21 or later, or 7.4.9 or later, if possible.

If not, and you use the phar.cache_list setting to pre-parse PHAR files, audit your PHAR files, and do not use untrusted PHAR files in your web-facing applications.