Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 344061 (CVE-2010-3870)

Summary: dev-lang/php: UTF-8 Decoding Vulnerabilities (CVE-2010-3870)
Product: Gentoo Security Reporter: Tim Sammut (RETIRED) <underling>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED DUPLICATE    
Severity: minor CC: php-bugs
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://svn.php.net/viewvc?view=revision&revision=304959
Whiteboard: B3 [upstream/ebuild]
Package list:
Runtime testing required: ---

Description Tim Sammut (RETIRED) gentoo-dev 2010-11-04 01:39:39 UTC 
I do not see a lot of good information on this issue. The upstream bug (http://bugs.php.net/bug.php?id=49687) indicates that errors in decoding UTF-8 can enable XSS and SQL injection.

The upstream revision at $URL states:

- Fixed bug #49687 (utf8_decode vulnerabilities and deficiencies in the number
  of reported malformed sequences).

The SuSE folks have found that 5.2 is vulnerable as well:

http://www.openwall.com/lists/oss-security/2010/11/03/1
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2010-11-15 03:45:00 UTC 
Here is the commit to PHP 5.2.

http://svn.php.net/viewvc?view=revision&revision=305055
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2010-12-10 06:00:15 UTC 

*** This bug has been marked as a duplicate of bug 340807 ***