Bug 193799

Summary:	dev-lang/php snmp and tidy buffer overflows (CVE-2007-3294)
Product:	Gentoo Security	Reporter:	Robert Buchholz (RETIRED) <rbu>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED INVALID
Severity:	normal	CC:	php-bugs
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://secunia.com/advisories/25735/
Whiteboard:	B2 [upstream]
Package list:		Runtime testing required:	---

Description Robert Buchholz (RETIRED) gentoo-dev

2007-09-25 21:49:01 UTC

According to Secunia
  1) A boundary error exists within the tidy extension when processing
  arguments passed to the "tidy_parse_string()" function. This can be
  exploited to cause a stack-based buffer overflow via an overly long
  string passed as the second argument to the affected function.
  (CVE-2007-3294)

  2) A boundary error exists within the snmp extension when processing
  arguments passed to the "snmpget()" function. This can be exploited
  to cause a stack-based buffer overflow via an overly long string
  passed as the third parameter to the affected function.

We ship both extensions as USE-flags to PHP and they still seem unfixed upstream.

Comment 1 Robert Buchholz (RETIRED) gentoo-dev

2007-09-25 21:51:38 UTC

php, please advise

Comment 2 Christian Hoffmann (RETIRED) gentoo-dev

2007-10-07 09:32:58 UTC

Um, sorry, totally forgot about this bug as we discussed it already on IRC...

Current status:
1) I think it's Windows-only; there does not seem to be a patch for it anyway...
2) Same here... original "advisory" is at [1] btw


[1] http://retrogod.altervista.org/php_446_snmpget_local_bof.html

Comment 3 Christian Hoffmann (RETIRED) gentoo-dev

2007-10-07 19:52:42 UTC

I cannot reproduce any of the bugs. The provided exploits contain Windows(-only) shellcode but I think there should be at least some strangeness (segfault or something) on *nix.
Closing as invalid, reopen if you can prove me wrong. ;)