From ${URL} : I found an integer overflow in PHP, in the conversation of dates to "Julian Day Count" function. The commit, with a PoC can be found here: https://github.com/MegaManSec/php-src/commit/a538d2f5605798422f2746636ecdc300f8ebcaa1 It seems to affect every version of PHP compiled with the calendar extension. The vulnerable code was commited in 3bc8debefe30aec801ee75878eba3ab6be00f301, at Sat Apr 15 20:35:09 2000 +0000 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
@Maintainers: Any information on this? From what I can see the fix is currently not applied to http://git.php.net/?p=php-src.git;a=blob;f=ext/calendar/gregor.c;h=069fe6eb5ae7160dfae0fd62d9bdf28987953cd7;hb=HEAD . Is it something we should backport? Is anyone aware of an upstream bug report for this issue?
I am not aware of anything related to that issue.
Still not committed.
There is a pull request here: https://github.com/php/php-src/pull/1008 I don't think this is worth backporting. Is anyone doing access control based on the output of a Gregorian/Julian calendar conversion function after the user supplies the year input? It's a stretch. I suggest we get the fix whenever upstream adopts it.
"** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it cannot be considered a security issue in the originally named product because of that product's specification. Notes: none." Withdrawn upstream.