Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 537590 (CVE-2015-1353) - dev-lang/php: integer overflow (CVE-2015-1353)
Summary: dev-lang/php: integer overflow (CVE-2015-1353)
Status: RESOLVED UPSTREAM
Alias: CVE-2015-1353
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: A2 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-01-24 20:06 UTC by Agostino Sarubbo
Modified: 2016-03-14 11:44 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-01-24 20:06:37 UTC
From ${URL} :

I found an integer overflow in PHP, in the conversation of dates to
"Julian Day Count" function.

The commit, with a PoC can be found here:
https://github.com/MegaManSec/php-src/commit/a538d2f5605798422f2746636ecdc300f8ebcaa1

It seems to affect every version of PHP compiled with the calendar
extension.
The vulnerable code was commited in
3bc8debefe30aec801ee75878eba3ab6be00f301, at
 Sat Apr 15 20:35:09 2000 +0000



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-02-24 20:06:19 UTC
@Maintainers: Any information on this? From what I can see the fix is currently not applied to http://git.php.net/?p=php-src.git;a=blob;f=ext/calendar/gregor.c;h=069fe6eb5ae7160dfae0fd62d9bdf28987953cd7;hb=HEAD . Is it something we should backport? 

Is anyone aware of an upstream bug report for this issue?
Comment 2 Ole Markus With (RETIRED) gentoo-dev 2015-02-26 11:46:11 UTC
I am not aware of anything related to that issue.
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2015-04-18 22:27:37 UTC
Still not committed.
Comment 4 Michael Orlitzky gentoo-dev 2015-11-07 01:53:38 UTC
There is a pull request here:

  https://github.com/php/php-src/pull/1008

I don't think this is worth backporting. Is anyone doing access control based on the output of a Gregorian/Julian calendar conversion function after the user supplies the year input? It's a stretch.

I suggest we get the fix whenever upstream adopts it.
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2016-03-14 11:44:40 UTC
"** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it cannot be considered a security issue in the originally named product because of that product's specification. Notes: none."

Withdrawn upstream.