Bug 667806 (CVE-2010-4645)

Summary: CVE-2010-4645 php: hang on numeric value 2.2250738585072011e-308 with x87 fpu
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dkutalek, fedora, jorton, mkkp4x4, pahan, rpm
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-02-04 09:05:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 670439, 670461, 670463, 670464    
Bug Blocks:    

Description Vincent Danen 2011-01-06 20:30:39 UTC
A flaw in how PHP handled the numeric value 2.2250738585072011e-308 was reported [1].  If a script were to assign this value to a variable, it could cause PHP to hang (infinite loop).  This issue has been fixed in upstream PHP [2] 5.2.17 and 5.3.5.

[1] http://bugs.php.net/53632
[2] http://svn.php.net/viewvc?view=revision&revision=307095

Comment 1 Vincent Danen 2011-01-06 20:56:55 UTC
I have not been able to reproduce this on RHEL4 (4.3.9) or RHEL5 (5.1.6) on x86.  I have reproduced it on RHEL6 (5.3.2) and Fedora 14 (5.3.4), both x86.  It does not reproduce on Fedora 14 x86_64, so this is x86-only.

Comment 2 MichaƂ Piotrowski 2011-01-06 21:11:38 UTC
Please add also

r307168 | pajoye | 2011-01-06 18:08:46 +0100 (czw) | 1 linia

- fix vc6 random behavior for Fix bug #53632 with x87 fpu

Comment 3 Vincent Danen 2011-01-07 00:24:29 UTC
Note that upstream has put up a checking script to see if your system is vulnerable:  http://www.php.net/distributions/test_bug53632.txt

Comment 4 Joe Orton 2011-01-07 08:54:21 UTC
Michal, r307168 is MSVC-specific and won't have any effect on Linux.

Comment 16 errata-xmlrpc 2011-02-03 18:56:33 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0195 https://rhn.redhat.com/errata/RHSA-2011-0195.html

Comment 17 errata-xmlrpc 2011-02-03 19:17:11 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:0196 https://rhn.redhat.com/errata/RHSA-2011-0196.html

Comment 18 Vincent Danen 2011-02-03 19:28:28 UTC

This issue leads to a temporary denial of service (high CPU consumption) when a PHP script handles numeric values from untrusted user input. It does not affect the versions of PHP as shipped with Red Hat Enterprise Linux 3, 4 or 5.  It  did affect the PHP 5.3 (php53) package on Red Hat Enterprise Linux 5.