Bug 459569 (CVE-2008-3659)

Summary: CVE-2008-3659 php: buffer overflow in memnstr
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED DUPLICATE QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: fedora, jorton, rpm
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-03-25 09:00:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Reproducer from upstream CVS none

Description Tomas Hoger 2008-08-20 09:28:05 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-3659 to
the following vulnerability:

Buffer overflow in the memnstr function in PHP 4.4.x before 4.4.9 and PHP 5.2 through 5.2.6 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via the delimiter argument to the explode function. NOTE: the scope of this issue is limited since most applications would not use an attacker-controlled delimiter, but local attacks against safe_mode are feasible.

References:
http://www.php.net/archive/2008.php#id2008-08-07-1
http://www.openwall.com/lists/oss-security/2008/08/13/8
http://www.openwall.com/lists/oss-security/2008/08/08/4
http://www.openwall.com/lists/oss-security/2008/08/08/3
http://www.openwall.com/lists/oss-security/2008/08/08/2
http://bugs.gentoo.org/show_bug.cgi?id=234102

Upstream patch with test case:
http://news.php.net/php.cvs/52002
Comment 1 Tomas Hoger 2008-08-20 09:30:55 UTC 
Created attachment 314616 [details]
Reproducer from upstream CVS

http://cvs.php.net/viewvc.cgi/php-src/ext/standard/tests/strings/explode_bug.phpt
Comment 2 Tomas Hoger 2009-03-25 09:00:23 UTC 

*** This bug has been marked as a duplicate of bug 169857 ***