Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu,  6 Nov 2014 06:35:38 -0500 (EST)
From: cve-assign@...re.org
To: thoger@...hat.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request: PHP xmlrpc date_from_ISO8601() buffer overflow (in php < 5.2.7)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> While looking at the recent PHP CVE-2014-3668, a worse problem was
> spotted in the same code that affected older PHP versions.  The
> date_from_ISO8601() function optionally copied input to a fixed size
> local buffer without performing any bounds checks:
> 
> http://git.php.net/?p=php-src.git;a=blob;f=ext/xmlrpc/libxmlrpc/xmlrpc.c;h=d82f270#l168
> 
> The issue was reported and corrected via:
> 
> https://bugs.php.net/bug.php?id=45226
> http://git.php.net/?p=php-src.git;a=commit;h=c818d0d01341907fee82bdb81cab07b7d93bb9db
> 
> The fix was included in PHP 5.2.7:
> 
> http://php.net/ChangeLog-5.php#5.2.7
> 
>   Fixed bugs #45226, #18916 (xmlrpc_set_type() segfaults and wrong behavior
>   with valid ISO8601 date string). (Jeff Lawsons)
> 
> It wasn't flagged as security fix, which seems incorrect to me.  This
> overflow can be triggered by a malicious XML passed to xmlrpc_decode*
> PHP functions.

Use CVE-2014-8626.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJUW1xjAAoJEKllVAevmvmsOowIAIsXbqHmKb2XiWPEulUL+DS8
rokejI8IfqNaRYwlAs8LPOkzB5zsKnbSHtFgVhOCaOXgfASPSU5IuL2yyxami2rW
WuNmzW3vU8U5lBkVe11km8OqO2Db9z9KtDyuBOVG1hCFbzNTTljwwzri4lTpGzxN
vUTLzaBBW3DCFp0ADEET2ua54HJLbzRxDRHbK9L4HuHfKao/PzuAZz02+xv6LYgU
u+oq+CKHYnqfOMUomaOy1KPeYEEL1UGhCoCqmdR7geKE/KoEDVI+ueTwM+mZKo9Z
0IaE+Wh4gZV88/TkthzRcnLdqqSdCKpJCEEoUrvPTr+rpKXRp+rvhVOwx0+dKtg=
=mwMi
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ