Bug 670806 (CVE-2010-4699)

Summary: CVE-2010-4699 php: iconv_mime_decode_headers skips headers using unsupported encoding
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: jorton
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-01-20 21:01:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomas Hoger 2011-01-19 12:58:53 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-4699 to the following issue:

The iconv_mime_decode_headers function in the Iconv extension in PHP
before 5.3.4 does not properly handle encodings that are unrecognized
by the iconv and mbstring (aka Multibyte String) implementations,
which allows remote attackers to trigger an incomplete output array,
and possibly bypass spam detection or have unspecified other impact,
via a crafted Subject header in an e-mail message, as demonstrated by
the ks_c_5601-1987 character set.

References:
http://bugs.php.net/52941
http://www.php.net/ChangeLog-5.php#5.3.4
http://coding.derkeiler.com/Archive/PHP/php.general/2007-04/msg00605.html

Upstream commit:
http://svn.php.net/viewvc/?view=revision&revision=303890
Comment 1 Tomas Hoger 2011-01-20 11:20:54 UTC 
This looks more like regular bug / enhancement rather than security flaw.  Upstream did not consider this to be security fix, security impacts mentioned the CVE description are fairly vague.

Checking with the upstream SVN test case, this bug occurs when iconv_mime_decode_headers is called with ICONV_MIME_DECODE_CONTINUE_ON_ERROR flag, i.e. when it's asked to continue parsing headers even when some error was detected.  So it's asked to perform a best effort recovery for the malformed input.  When called without this flag set, iconv_mime_decode_headers returns false.

Fixing the code that tries to recover form errors is a bug fix, but it does not seem to qualify as a security fix.  Joe, do you possibly see what I may be missing?
Comment 3 Joe Orton 2011-01-20 12:56:40 UTC 
No, I don't see any security issue there, I presume it is extrapolated from "skipping spam checks".  Even upstream didn't list this under the security fixes in the 5.3.4 changes.
Comment 4 Tomas Hoger 2011-01-20 21:01:59 UTC 
Statement:

Red Hat does not consider this issue to be a security vulnerability, rather consider this to be a non-security bug.