https://bugs.php.net/bug.php?id=53502 [2010-12-08 21:04 UTC] jsheridan at tenable dot com Description: ------------ strtotime calls with a timezone embedded function correctly but continually use up memory. In a daemon program this becomes quickly fatal. Test script: --------------- <?php while (true) { strtotime('Monday 00:00 Europe/Paris'); // Memory leak } ?> <?php while (true) { date_default_timezone_set("Europe/Paris"); strtotime('Monday 00:00'); // No memory leak } ?> Expected result: ---------------- Memory usage should remain stable.
Fixed in dev-lang/php-5.3.9 - added to existing GLSA request.
CVE-2012-0789 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0789): Memory leak in the timezone functionality in PHP before 5.3.9 allows remote attackers to cause a denial of service (memory consumption) by triggering many strtotime function calls, which are not properly handled by the php_date_parse_tzfile cache.
This issue was resolved and addressed in GLSA 201209-03 at http://security.gentoo.org/glsa/glsa-201209-03.xml by GLSA coordinator Sean Amoss (ackle).