Bug 689365 (CVE-2011-1464)

Summary: CVE-2011-1464 php: Crash by retrieving string value of a variable, when high precision used
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jorton, redhat-bugzilla
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-03-21 09:24:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Lieskovsky 2011-03-21 08:37:30 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2011-1464 to
the following vulnerability:

Buffer overflow in the strval function in PHP before 5.3.6, when the
precision configuration option has a large value, might allow
context-dependent attackers to cause a denial of service (application
crash) via a small numerical value in the argument.

References:
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1464
[2] http://bugs.php.net/bug.php?id=54055
[3] http://www.php.net/ChangeLog-5.php
[4] http://www.php.net/archive/2011.php
[5] http://www.php.net/releases/5_3_6.php
Comment 1 Jan Lieskovsky 2011-03-21 08:39:24 UTC 
Public PoC (from [2]):
======================

<?php
for($i = 500; $i <= 1074; $i++) {
  ini_set('precision', $i);
  print "$i\n";
  strval(pow(2, -1074));
}
Comment 2 Joe Orton 2011-03-21 08:47:33 UTC 
Fix upstream: http://svn.php.net/viewvc?view=revision&revision=308525
Comment 5 Jan Lieskovsky 2011-03-21 09:13:21 UTC 
This issue did NOT affect the versions of the php package, as shipped
with Red Hat Enterprise Linux 4 and 5.

--

This issue affects the versions of the php53 package, as shipped with
Red Hat Enterprise Linux 5.

This issue affects the versions of the php package, as shipped with
Red Hat Enterprise Linux 6.

--

This issue affects the versions of the php package, as shipped with
Fedora release of 13 and 14.
Comment 7 Jan Lieskovsky 2011-03-21 09:24:26 UTC 
Statement:

Red Hat does not consider this flaw to be a security issue. It is improbable that a script would accept untrusted user input or unvalidated script input data to the strval() function. Input passed to the functions is therefore under the full control of the script author and no trust boundary is crossed. As well, an administrator would have to excessively increase the precision settings in order to trigger this flaw.
Comment 8 Robert Scheck 2011-07-10 15:22:14 UTC 
Well, it is likely that especially a PHP script accepts untrusted user input,
but looks like you are trusting developers writing PHP code more than me.