Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 399573 (CVE-2012-0789) - <dev-lang/php-5.3.9: strtotime timezone memory leak (CVE-2012-0789)
Summary: <dev-lang/php-5.3.9: strtotime timezone memory leak (CVE-2012-0789)
Status: RESOLVED FIXED
Alias: CVE-2012-0789
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugs.php.net/bug.php?id=53502
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-01-21 02:10 UTC by Viorel Tabara
Modified: 2012-09-24 00:27 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Viorel Tabara 2012-01-21 02:10:25 UTC
https://bugs.php.net/bug.php?id=53502

 [2010-12-08 21:04 UTC] jsheridan at tenable dot com

Description:
------------
strtotime calls with a timezone embedded function correctly but continually use
up 
memory. In a daemon program this becomes quickly fatal.


Test script:
---------------
<?php
while (true) {
    strtotime('Monday 00:00 Europe/Paris');    // Memory leak
}
?>

<?php
while (true) {
    date_default_timezone_set("Europe/Paris");
    strtotime('Monday 00:00');    // No memory leak
}
?>

Expected result:
----------------
Memory usage should remain stable.
Comment 1 Sean Amoss gentoo-dev Security 2012-01-21 13:45:38 UTC
Fixed in dev-lang/php-5.3.9 - added to existing GLSA request.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2012-02-21 04:10:07 UTC
CVE-2012-0789 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0789):
  Memory leak in the timezone functionality in PHP before 5.3.9 allows remote
  attackers to cause a denial of service (memory consumption) by triggering
  many strtotime function calls, which are not properly handled by the
  php_date_parse_tzfile cache.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2012-09-24 00:27:38 UTC
This issue was resolved and addressed in
 GLSA 201209-03 at http://security.gentoo.org/glsa/glsa-201209-03.xml
by GLSA coordinator Sean Amoss (ackle).