Bug 494530 (CVE-2009-1271)

Summary: CVE-2009-1271 php: crash on malformed input in json_decode()
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: fedora, jorton, rpm
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-06-16 07:05:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 487371    
Bug Blocks:    

Description Tomas Hoger 2009-04-07 10:50:19 UTC
PHP 5.2.9 upstream release notes mention following security fix:

  Fixed a segfault when malformed string is passed to json_decode(). (Scott)


Upstream patch:

JSON extension was only introduced in PHP 5.2.0, earlier versions of php (such as those shipped in Red Hat Enterprise Linux 2.1, 3, 4, and 5) are not affected by this problem.

Comment 2 Tomas Hoger 2009-04-09 07:38:21 UTC
The JSON_parser function (ext/json/JSON_parser.c) in PHP 5.2.x before
5.2.9 allows remote attackers to cause a denial of service
(segmentation fault) via a malformed string to the json_decode API

Comment 3 errata-xmlrpc 2009-04-14 17:14:55 UTC
This issue has been addressed in following products:

  Red Hat Web Application Stack for RHEL 5

Via RHSA-2009:0350 https://rhn.redhat.com/errata/RHSA-2009-0350.html

Comment 4 Fedora Update System 2009-05-30 02:33:40 UTC
maniadrive-1.2-13.fc10, php-5.2.9-2.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Fedora Update System 2009-05-30 02:37:39 UTC
maniadrive-1.2-13.fc9, php-5.2.9-2.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.