Bug 1154500 (CVE-2014-3669)
Summary: | CVE-2014-3669 php: integer overflow in unserialize() | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Murray McAllister <mmcallis> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | chazlett, fedora, fkrska, jorton, jrusnack, mmaslano, rcollet, sebastian.leitz, vdanen, webstack-team |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | php 5.4.34, php 5.5.18, php 5.6.2 | Doc Type: | Bug Fix |
Doc Text: |
An integer overflow flaw was found in the way custom objects were unserialized. Specially crafted input processed by the unserialize() function could cause a PHP application to crash.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2014-11-06 17:59:07 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1154638, 1154639, 1155019, 1155020, 1155021, 1155022, 1155023, 1155024, 1170147 | ||
Bug Blocks: | 1149858, 1154506 |
Description
Murray McAllister
2014-10-20 04:17:05 UTC
5.5.18 is already in Fedora testing, so no Fedora trackers for this (or bug 1154502 and bug 1154503) (In reply to Murray McAllister from comment #0) > It was reported that this issue only affects 32-bit systems. This issue does not seem to be 32-bit specific per se. Problematic code check is: pointer1 + long >= pointer2 Attacker providing crafted serialized input has full control over the long value. As the variable is signed, and there is another check to ensure that its value is not negative, overflow can happen if pointer1 + long overflow. That can only happen if pointer1 points to the upper half of the address range, as the maximum long value is approximately half of the maximum pointer value. That is lot more likely on 32-bit systems than on 64-bit systems. Attacker has limited control over pointer1. IssueDescription: An integer overflow flaw was found in the way custom objects were unserialized. Specially crafted input processed by the unserialize() function could cause a PHP application to crash. This issue has been addressed in the following products: Red Hat Enterprise Linux 5 Via RHSA-2014:1768 https://rhn.redhat.com/errata/RHSA-2014-1768.html This issue has been addressed in the following products: Red Hat Software Collections 1 for Red Hat Enterprise Linux 7 Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.5 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6 Via RHSA-2014:1766 https://rhn.redhat.com/errata/RHSA-2014-1766.html This issue has been addressed in the following products: Red Hat Software Collections 1 for Red Hat Enterprise Linux 7 Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.5 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6 Via RHSA-2014:1765 https://rhn.redhat.com/errata/RHSA-2014-1765.html This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2014:1767 https://rhn.redhat.com/errata/RHSA-2014-1767.html This issue has been addressed in the following products: Red Hat Enterprise Linux 5 Via RHSA-2014:1824 https://rhn.redhat.com/errata/RHSA-2014-1824.html This issue has been addressed in the following products: Red Hat Enterprise Linux 6.5 EUS - Server and Compute Node Only Via RHSA-2015:0021 https://rhn.redhat.com/errata/RHSA-2015-0021.html |