Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 399573 (CVE-2012-0789) - <dev-lang/php-5.3.9: strtotime timezone memory leak (CVE-2012-0789)
Summary: <dev-lang/php-5.3.9: strtotime timezone memory leak (CVE-2012-0789)
Alias: CVE-2012-0789
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa]
Depends on:
Reported: 2012-01-21 02:10 UTC by Viorel Tabara
Modified: 2012-09-24 00:27 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Viorel Tabara 2012-01-21 02:10:25 UTC

 [2010-12-08 21:04 UTC] jsheridan at tenable dot com

strtotime calls with a timezone embedded function correctly but continually use
memory. In a daemon program this becomes quickly fatal.

Test script:
while (true) {
    strtotime('Monday 00:00 Europe/Paris');    // Memory leak

while (true) {
    strtotime('Monday 00:00');    // No memory leak

Expected result:
Memory usage should remain stable.
Comment 1 Sean Amoss gentoo-dev Security 2012-01-21 13:45:38 UTC
Fixed in dev-lang/php-5.3.9 - added to existing GLSA request.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2012-02-21 04:10:07 UTC
CVE-2012-0789 (
  Memory leak in the timezone functionality in PHP before 5.3.9 allows remote
  attackers to cause a denial of service (memory consumption) by triggering
  many strtotime function calls, which are not properly handled by the
  php_date_parse_tzfile cache.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2012-09-24 00:27:38 UTC
This issue was resolved and addressed in
 GLSA 201209-03 at
by GLSA coordinator Sean Amoss (ackle).