Bug 1185896 (CVE-2015-1353)

Summary: CVE-2015-1353 php: integer overflow in the conversion of dates to "Julian Day Count" function
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bleanhar, ccoleman, cgr, dmcphers, falonso, fedora, jdetiber, jialiu, jkeck, jokerman, jorton, kseifried, lmeyer, mmaslano, mmccomas, rcollet, webstack-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-01-29 14:40:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1185897    
Bug Blocks: 1185898    

Description Vasyl Kaigorodov 2015-01-26 15:08:19 UTC 
Integer overflow was reported in PHP [1].
The commit that fixes this, with a PoC can be found here:
https://github.com/MegaManSec/php-src/commit/a538d2f5605798422f2746636ecdc300f8ebcaa1

[1]: http://seclists.org/oss-sec/2015/q1/190
Comment 1 Vasyl Kaigorodov 2015-01-26 15:12:24 UTC 
Created php tracking bugs for this issue:

Affects: fedora-all [bug 1185897]
Comment 2 Remi Collet 2015-01-27 17:52:01 UTC 
Sorry, but I don't see how this can be a security bug.
Bad input => bad result.
No crash.
Comment 4 Carl Riches 2015-05-04 18:38:50 UTC 
NIST has changed the status of this security issue:

 Original release date: 03/30/2015
Last revised: 03/30/2015
Source: US-CERT/NIST 
Impact
CVSS Severity (version 2.0):
  CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P)
  Impact Subscore: 6.4
  Exploitability Subscore: 10.0
CVSS Version 2 Metrics:
  Access Vector: Network exploitable
  Access Complexity: Low
  Authentication: Not required to exploit
  Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service

(see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1353)

We need a PHP update from Red Hat for RHEL 6 and RHEL 7 that addresses this issue.  Will you re-open this bug and provide an update that fixes this vulnerability?
Comment 5 Tomas Hoger 2015-05-20 12:20:17 UTC 
This CVE assignment was officially rejected with the following explanation:

  This candidate was withdrawn by its CNA. Further investigation showed that
  it cannot be considered a security issue in the originally named product
  because of that product's specification.