Bug 689365 (CVE-2011-1464)

Summary: CVE-2011-1464 php: Crash by retrieving string value of a variable, when high precision used
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jorton, redhat-bugzilla
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-03-21 09:24:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Jan Lieskovsky 2011-03-21 08:37:30 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2011-1464 to
the following vulnerability:

Buffer overflow in the strval function in PHP before 5.3.6, when the
precision configuration option has a large value, might allow
context-dependent attackers to cause a denial of service (application
crash) via a small numerical value in the argument.

[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1464
[2] http://bugs.php.net/bug.php?id=54055
[3] http://www.php.net/ChangeLog-5.php
[4] http://www.php.net/archive/2011.php
[5] http://www.php.net/releases/5_3_6.php

Comment 1 Jan Lieskovsky 2011-03-21 08:39:24 UTC
Public PoC (from [2]):

for($i = 500; $i <= 1074; $i++) {
  ini_set('precision', $i);
  print "$i\n";
  strval(pow(2, -1074));

Comment 2 Joe Orton 2011-03-21 08:47:33 UTC
Fix upstream: http://svn.php.net/viewvc?view=revision&revision=308525

Comment 5 Jan Lieskovsky 2011-03-21 09:13:21 UTC
This issue did NOT affect the versions of the php package, as shipped
with Red Hat Enterprise Linux 4 and 5.


This issue affects the versions of the php53 package, as shipped with
Red Hat Enterprise Linux 5.

This issue affects the versions of the php package, as shipped with
Red Hat Enterprise Linux 6.


This issue affects the versions of the php package, as shipped with
Fedora release of 13 and 14.

Comment 7 Jan Lieskovsky 2011-03-21 09:24:26 UTC

Red Hat does not consider this flaw to be a security issue. It is improbable that a script would accept untrusted user input or unvalidated script input data to the strval() function. Input passed to the functions is therefore under the full control of the script author and no trust boundary is crossed. As well, an administrator would have to excessively increase the precision settings in order to trigger this flaw.

Comment 8 Robert Scheck 2011-07-10 15:22:14 UTC
Well, it is likely that especially a PHP script accepts untrusted user input,
but looks like you are trusting developers writing PHP code more than me.