Date: Wed, 5 Nov 2014 16:14:01 +0100 From: Tomas Hoger <thoger@...hat.com> To: oss-security@...ts.openwall.com Subject: CVE request: PHP xmlrpc date_from_ISO8601() buffer overflow (in php < 5.2.7) Hi! While looking at the recent PHP CVE-2014-3668, a worse problem was spotted in the same code that affected older PHP versions. The date_from_ISO8601() function optionally copied input to a fixed size local buffer without performing any bounds checks: http://git.php.net/?p=php-src.git;a=blob;f=ext/xmlrpc/libxmlrpc/xmlrpc.c;h=d82f270#l168 The issue was reported and corrected via: https://bugs.php.net/bug.php?id=45226 http://git.php.net/?p=php-src.git;a=commitdiff;h=c818d0d The fix was included in PHP 5.2.7: http://php.net/ChangeLog-5.php#5.2.7 Fixed bugs #45226, #18916 (xmlrpc_set_type() segfaults and wrong behavior with valid ISO8601 date string). (Jeff Lawsons) It wasn't flagged as security fix, which seems incorrect to me. This overflow can be triggered by a malicious XML passed to xmlrpc_decode* PHP functions. Can a CVE be assigned? I'm not sure if this needs 2008 or 2014 id. -- Tomas Hoger / Red Hat Product Security
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.