Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 513032 (CVE-2014-4049) - <dev-lang/php-{5.4.32,5.5.16}: heap-based buffer overflow in DNS TXT record parsing (CVE-2014-{3597,4049})
Summary: <dev-lang/php-{5.4.32,5.5.16}: heap-based buffer overflow in DNS TXT record p...
Status: RESOLVED FIXED
Alias: CVE-2014-4049
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: A2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-06-12 08:41 UTC by Agostino Sarubbo
Modified: 2014-08-31 11:28 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-06-12 08:41:04 UTC
From ${URL} :

Stefan Esser pointed out that the following commit fixes a heap-based buffer overflow in DNS TXT record 
parsing:

https://github.com/php/php-src/commit/b34d7849ed90ced9345f8ea1c59bc8d101c18468

A malicious server or man-in-the-middle attacker could possibly use this flaw to execute arbitrary code as 
the PHP interpreter if a PHP application uses dns_get_record() to perform a DNS query.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Ole Markus With (RETIRED) gentoo-dev 2014-06-27 10:42:32 UTC
Ebuild for this one has been committed and can be stabilised
Comment 2 Kristian Fiskerstrand gentoo-dev Security 2014-08-21 21:42:11 UTC
Updated in http://git.php.net/?p=php-src.git;a=commit;h=2fefae47716d501aec41c1102f3fd4531f070b05

Fixed Sec Bug #67717 segfault in dns_get_record CVE-2014-3597

Incomplete fix for CVE-2014-4049

Check possible buffer overflow
- pass real buffer end to dn_expand calls
- check buffer len before each read

Patches: 
PHP 5.5: http://git.php.net/?p=php-src.git;a=commit;h=529da0f74c1a230d0656799efc73a387392dbc10
PHP 5.4: http://git.php.net/?p=php-src.git;a=commit;h=2fefae47716d501aec41c1102f3fd4531f070b05
Comment 3 Kristian Fiskerstrand gentoo-dev Security 2014-08-22 18:59:17 UTC
This is fixed in PHP 5.5.16 and 5.4.32
Comment 4 Kristian Fiskerstrand gentoo-dev Security 2014-08-23 18:37:15 UTC
Arches, please stabilize

=dev-lang/php-5.5.16
=dev-lang/php-5.4.32
Stable targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 5 Agostino Sarubbo gentoo-dev 2014-08-23 20:18:51 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2014-08-23 20:19:02 UTC
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2014-08-24 09:03:06 UTC
alpha stable
Comment 8 Agostino Sarubbo gentoo-dev 2014-08-24 09:04:34 UTC
arm stable
Comment 9 Jeroen Roovers gentoo-dev 2014-08-24 13:58:23 UTC
Stable for HPPA.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2014-08-25 02:31:06 UTC
CVE-2014-4049 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4049):
  Heap-based buffer overflow in the php_parserr function in ext/standard/dns.c
  in PHP 5.6.0beta4 and earlier allows remote servers to cause a denial of
  service (crash) and possibly execute arbitrary code via a crafted DNS TXT
  record, related to the dns_get_record function.

CVE-2014-3597 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3597):
  Multiple buffer overflows in the php_parserr function in ext/standard/dns.c
  in PHP before 5.4.32 and 5.5.x before 5.5.16 allow remote DNS servers to
  cause a denial of service (application crash) or possibly execute arbitrary
  code via a crafted DNS record, related to the dns_get_record function and
  the dn_expand function.  NOTE: this issue exists because of an incomplete
  fix for CVE-2014-4049.
Comment 11 Raúl Porcel (RETIRED) gentoo-dev 2014-08-25 11:56:05 UTC
ia64/sparc stable
Comment 12 Agostino Sarubbo gentoo-dev 2014-08-26 09:36:57 UTC
ppc stable
Comment 13 Agostino Sarubbo gentoo-dev 2014-08-26 09:37:25 UTC
ppc64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 14 Kristian Fiskerstrand gentoo-dev Security 2014-08-26 09:52:26 UTC
Arches: Thank you very much. 
Maintainers: Please cleanup

Added to existing GLSA request.
Comment 15 Agostino Sarubbo gentoo-dev 2014-08-26 09:59:21 UTC
cleanup done
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2014-08-31 11:28:04 UTC
This issue was resolved and addressed in
 GLSA 201408-11 at http://security.gentoo.org/glsa/glsa-201408-11.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).