Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20141105161401.4dd89654@redhat.com>
Date: Wed, 5 Nov 2014 16:14:01 +0100
From: Tomas Hoger <thoger@...hat.com>
To: oss-security@...ts.openwall.com
Subject: CVE request: PHP xmlrpc date_from_ISO8601() buffer overflow (in php
 < 5.2.7)

Hi!

While looking at the recent PHP CVE-2014-3668, a worse problem was
spotted in the same code that affected older PHP versions.  The
date_from_ISO8601() function optionally copied input to a fixed size
local buffer without performing any bounds checks:

http://git.php.net/?p=php-src.git;a=blob;f=ext/xmlrpc/libxmlrpc/xmlrpc.c;h=d82f270#l168

The issue was reported and corrected via:

https://bugs.php.net/bug.php?id=45226
http://git.php.net/?p=php-src.git;a=commitdiff;h=c818d0d

The fix was included in PHP 5.2.7:

http://php.net/ChangeLog-5.php#5.2.7

  Fixed bugs #45226, #18916 (xmlrpc_set_type() segfaults and wrong behavior
  with valid ISO8601 date string). (Jeff Lawsons)

It wasn't flagged as security fix, which seems incorrect to me.  This
overflow can be triggered by a malicious XML passed to xmlrpc_decode*
PHP functions.

Can a CVE be assigned?  I'm not sure if this needs 2008 or 2014 id.

-- 
Tomas Hoger / Red Hat Product Security

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.