Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 399573 (CVE-2012-0789)

Summary: <dev-lang/php-5.3.9: strtotime timezone memory leak (CVE-2012-0789)
Product: Gentoo Security Reporter: Viorel Tabara <gentoo>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: php-bugs
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugs.php.net/bug.php?id=53502
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Viorel Tabara 2012-01-21 02:10:25 UTC 
https://bugs.php.net/bug.php?id=53502

 [2010-12-08 21:04 UTC] jsheridan at tenable dot com

Description:
------------
strtotime calls with a timezone embedded function correctly but continually use
up 
memory. In a daemon program this becomes quickly fatal.


Test script:
---------------
<?php
while (true) {
    strtotime('Monday 00:00 Europe/Paris');    // Memory leak
}
?>

<?php
while (true) {
    date_default_timezone_set("Europe/Paris");
    strtotime('Monday 00:00');    // No memory leak
}
?>

Expected result:
----------------
Memory usage should remain stable.
Comment 1 Sean Amoss (RETIRED) gentoo-dev Security 2012-01-21 13:45:38 UTC 
Fixed in dev-lang/php-5.3.9 - added to existing GLSA request.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2012-02-21 04:10:07 UTC 
CVE-2012-0789 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0789):
  Memory leak in the timezone functionality in PHP before 5.3.9 allows remote
  attackers to cause a denial of service (memory consumption) by triggering
  many strtotime function calls, which are not properly handled by the
  php_date_parse_tzfile cache.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2012-09-24 00:27:38 UTC 
This issue was resolved and addressed in
 GLSA 201209-03 at http://security.gentoo.org/glsa/glsa-201209-03.xml
by GLSA coordinator Sean Amoss (ackle).