Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 624056 - <dev-lang/php-{5.6.31, 7.0.21, 7.1.7}: wddx_deserialize() heap out-of-bound read via php_parse_date()
Summary: <dev-lang/php-{5.6.31, 7.0.21, 7.1.7}: wddx_deserialize() heap out-of-bound r...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugs.php.net/bug.php?id=74819
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-07-06 20:09 UTC by Christopher Díaz Riveros (RETIRED)
Modified: 2017-09-24 19:06 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-07-06 20:09:26 UTC 
From $URL:

Description:
------------
While deserializing an invalid dateTime value, wddx_deserialize() would result in a heap out-of-bounds read in timelib_meridian(). As wddx_deserialize() is exposed to network data, and sometimes echo the results back to client, this issue could potentially allow remote peeking of the process memory. It should also affect other PHP APIs that make use of timelib_meridian().
Comment 1 D'juan McDonald (domhnall) 2017-09-10 01:03:18 UTC 
upstream patch:

https://gist.github.com/bd77ac90d3bdf31ce2a5251ad92e9e75
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2017-09-10 04:17:32 UTC 
Please confirm if this is part of version 7.0.23, 7.1.9 being stabilized in bug #629452
Comment 3 Brian Evans (RETIRED) gentoo-dev 2017-09-10 12:29:17 UTC 
(In reply to Yury German from comment #2)
> Please confirm if this is part of version 7.0.23, 7.1.9 being stabilized in
> bug #629452

This bug was fixed with PHP 7.0.21 and 7.1.7.
Comment 4 Brian Evans (RETIRED) gentoo-dev 2017-09-10 12:39:36 UTC 
Also fixed with PHP 5.6.31 as well
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2017-09-24 19:06:33 UTC 
GLSA Vote: No