| Summary: | <dev-lang/php-{5.4.32,5.5.16}: heap-based buffer overflow in DNS TXT record parsing (CVE-2014-{3597,4049}) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | major | CC: | php-bugs |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1108447 | ||
| Whiteboard: | A2 [glsa] | ||
| Package list: | Runtime testing required: | --- | |
Ebuild for this one has been committed and can be stabilised Updated in http://git.php.net/?p=php-src.git;a=commit;h=2fefae47716d501aec41c1102f3fd4531f070b05 Fixed Sec Bug #67717 segfault in dns_get_record CVE-2014-3597 Incomplete fix for CVE-2014-4049 Check possible buffer overflow - pass real buffer end to dn_expand calls - check buffer len before each read Patches: PHP 5.5: http://git.php.net/?p=php-src.git;a=commit;h=529da0f74c1a230d0656799efc73a387392dbc10 PHP 5.4: http://git.php.net/?p=php-src.git;a=commit;h=2fefae47716d501aec41c1102f3fd4531f070b05 This is fixed in PHP 5.5.16 and 5.4.32 Arches, please stabilize =dev-lang/php-5.5.16 =dev-lang/php-5.4.32 Stable targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 amd64 stable x86 stable alpha stable arm stable Stable for HPPA. CVE-2014-4049 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4049): Heap-based buffer overflow in the php_parserr function in ext/standard/dns.c in PHP 5.6.0beta4 and earlier allows remote servers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted DNS TXT record, related to the dns_get_record function. CVE-2014-3597 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3597): Multiple buffer overflows in the php_parserr function in ext/standard/dns.c in PHP before 5.4.32 and 5.5.x before 5.5.16 allow remote DNS servers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted DNS record, related to the dns_get_record function and the dn_expand function. NOTE: this issue exists because of an incomplete fix for CVE-2014-4049. ia64/sparc stable ppc stable ppc64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one. Arches: Thank you very much. Maintainers: Please cleanup Added to existing GLSA request. cleanup done This issue was resolved and addressed in GLSA 201408-11 at http://security.gentoo.org/glsa/glsa-201408-11.xml by GLSA coordinator Kristian Fiskerstrand (K_F). |
From ${URL} : Stefan Esser pointed out that the following commit fixes a heap-based buffer overflow in DNS TXT record parsing: https://github.com/php/php-src/commit/b34d7849ed90ced9345f8ea1c59bc8d101c18468 A malicious server or man-in-the-middle attacker could possibly use this flaw to execute arbitrary code as the PHP interpreter if a PHP application uses dns_get_record() to perform a DNS query. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.