Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 472204 (CVE-2013-3735) - <dev-lang/php-{5.4.17,5.3.27} : DoS (memory exhaustion, application crash) via crafted function definition (CVE-2013-3735)
Summary: <dev-lang/php-{5.4.17,5.3.27} : DoS (memory exhaustion, application crash) vi...
Status: RESOLVED FIXED
Alias: CVE-2013-3735
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: A3 [glsa]
Keywords:
Depends on: CVE-2013-2110
Blocks:
  Show dependency tree
 
Reported: 2013-06-03 18:31 UTC by Agostino Sarubbo
Modified: 2014-08-31 11:25 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-06-03 18:31:06 UTC
From ${URL} :

Common Vulnerabilities and Exposures assigned an identifier CVE-2013-3735 to the following vulnerability:

** DISPUTED ** The Zend Engine in PHP before 5.4.16 RC1, and 5.5.0 before RC2, does not properly determine whether a parser error occurred, which 
allows context-dependent attackers to cause a denial of service (memory consumption and application crash) via a crafted function definition, as 
demonstrated by an attack within a shared web-hosting environment.  NOTE: the vendor's http://php.net/security-note.php page says "for critical 
security situations you should be using OS-level security by running multiple web servers each as their own user id."

References:
[1] https://bugs.php.net/bug.php?id=64660
[2] https://github.com/php/php-src/blob/php-5.4.16RC1/NEWS
[3] https://github.com/php/php-src/blob/php-5.5.0RC2/NEWS
[4] https://github.com/php/php-src/commit/fb58e69a84f4fde603a630d2c9df2fa3be16d846


@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Ole Markus With (RETIRED) gentoo-dev 2013-06-07 12:18:11 UTC
Will be stabilised as part of bug 472558.
Removed the vulnerable rcs
Comment 2 Chris Reffett gentoo-dev Security 2013-08-27 03:46:57 UTC
Added to GLSA request.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2014-08-31 10:49:04 UTC
This issue was resolved and addressed in
 GLSA 201408-11 at http://security.gentoo.org/glsa/glsa-201408-11.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2014-08-31 11:25:56 UTC
This issue was resolved and addressed in
 GLSA 201408-11 at http://security.gentoo.org/glsa/glsa-201408-11.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).