344061 – (CVE-2010-3870) dev-lang/php: UTF-8 Decoding Vulnerabilities (CVE-2010-3870)

Bug 344061 (CVE-2010-3870) - dev-lang/php: UTF-8 Decoding Vulnerabilities (CVE-2010-3870)

Summary: dev-lang/php: UTF-8 Decoding Vulnerabilities (CVE-2010-3870)

Status:	RESOLVED DUPLICATE of bug 340807

Alias:	CVE-2010-3870

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High minor (vote)
Assignee:	Gentoo Security

URL:	http://svn.php.net/viewvc?view=revisi...
Whiteboard:	B3 [upstream/ebuild]
Keywords:

Depends on:
Blocks:

Reported:	2010-11-04 01:39 UTC by Tim Sammut (RETIRED)
Modified:	2010-12-10 06:00 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Tim Sammut (RETIRED) gentoo-dev

2010-11-04 01:39:39 UTC

I do not see a lot of good information on this issue. The upstream bug (http://bugs.php.net/bug.php?id=49687) indicates that errors in decoding UTF-8 can enable XSS and SQL injection.

The upstream revision at $URL states:

- Fixed bug #49687 (utf8_decode vulnerabilities and deficiencies in the number
  of reported malformed sequences).

The SuSE folks have found that 5.2 is vulnerable as well:

http://www.openwall.com/lists/oss-security/2010/11/03/1

Comment 1 Tim Sammut (RETIRED) gentoo-dev

2010-11-15 03:45:00 UTC

Here is the commit to PHP 5.2.

http://svn.php.net/viewvc?view=revision&revision=305055

Comment 2 Tim Sammut (RETIRED) gentoo-dev

2010-12-10 06:00:15 UTC


*** This bug has been marked as a duplicate of bug 340807 ***