Bug 1451700 (CVE-2017-8923)
Summary: | CVE-2017-8923 php: Overflowing the length of string causes crash | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | fedora, hhorak, jorton, kseifried, rcollet, sardella, webstack-team |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | php 7.4.24, php 8.0.11 | Doc Type: | If docs needed, set a value |
Doc Text: |
An integer overflow vulnerability in PHP can lead to a buffer overflow when constructing extremely long strings with the ".=" operator. In unusual circumstances, this could be used by an attacker to cause an application to crash or possibly have other consequences.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2017-07-05 05:34:05 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1451701 | ||
Bug Blocks: | 1451702, 2020490 |
Description
Adam Mariš
2017-05-17 10:25:02 UTC
Created php tracking bugs for this issue: Affects: fedora-all [bug 1451701] This seems to be a flaw in handling very large strings. It is unlikely that this flaw will be triggered by malicious user input, therefore this has very limited security impact. This issue got fixed upstream via the following upstream bug: https://bugs.php.net/bug.php?id=73122 Upstream commit: https://github.com/php/php-src/commit/f1ce8d5f5839cb2069ea37ff424fb96b8cd6932d The fix was applied in versions 7.4.24 and 8.0.11: https://www.php.net/ChangeLog-7.php#7.4.24 https://www.php.net/ChangeLog-8.php#8.0.11 The fix depends on the following fix: https://bugs.php.net/bug.php?id=74960 https://github.com/php/php-src/commit/760ff841a14160f25348f7969985cb8a2c4da3cc Note that upstream does not seem to be planning to apply this fix for PHP 7.3, as they do not consider the issue to be a security flaw: https://bugs.php.net/bug.php?id=73122#1629209263 That classification may be based on the fact that this problem can only be triggered when running with memory_limit higher than 2GB or no memory limit, while the default limit is 128MB: https://www.php.net/manual/en/ini.core.php#ini.memory-limit However, it may also be based on the fact that upstream bug report #73122 only mentions strlen() function returning an incorrect value without triggering any crash as noted in the upstream bug report #74577. To trigger the overflow, a script has to attempt to concatenate a string with more than 2^31 characters to itself. Being able to trigger that in a non-malicious script seems unlikely. Another mitigating factor is that the 2^31 limit only applies to 32-bit systems. On 64-bit systems, string would have to be 2^63 characters long, which would not be possible with current hardware. Only 64-bit builds of PHP are provided for Red Hat Enterprise Linux 7 and later. |