oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE request: PHP xmlrpc date_from_ISO8601() buffer overflow (in php < 5.2.7)

From: Tomas Hoger <thoger () redhat com>
Date: Wed, 5 Nov 2014 16:14:01 +0100
Hi!

While looking at the recent PHP CVE-2014-3668, a worse problem was
spotted in the same code that affected older PHP versions.  The
date_from_ISO8601() function optionally copied input to a fixed size
local buffer without performing any bounds checks:

http://git.php.net/?p=php-src.git;a=blob;f=ext/xmlrpc/libxmlrpc/xmlrpc.c;h=d82f270#l168

The issue was reported and corrected via:

https://bugs.php.net/bug.php?id=45226
http://git.php.net/?p=php-src.git;a=commitdiff;h=c818d0d

The fix was included in PHP 5.2.7:

http://php.net/ChangeLog-5.php#5.2.7

  Fixed bugs #45226, #18916 (xmlrpc_set_type() segfaults and wrong behavior
  with valid ISO8601 date string). (Jeff Lawsons)

It wasn't flagged as security fix, which seems incorrect to me.  This
overflow can be triggered by a malicious XML passed to xmlrpc_decode*
PHP functions.

Can a CVE be assigned?  I'm not sure if this needs 2008 or 2014 id.

-- 
Tomas Hoger / Red Hat Product Security
Previous By Date Next
Previous By Thread Next

Current thread: