Bug 782951 (CVE-2012-0781)

Summary: CVE-2012-0781 php: tidy_diagnose() NULL pointer dereference may cause DoS
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: fedora, jorton, rpm
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20120110,reported=20120110,source=internet,cvss2=2.6/AV:N/AC:H/Au:N/C:N/I:N/A:P,rhel-4/php=notaffected,rhel-5/php=notaffected,rhel-5/php53=notaffected,rhel-6/php=affected,fedora-all/php=notaffected,cwe=CWE-476[auto]
Fixed In Version: php 5.3.9 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-27 13:15:50 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 830729, 830730    
Bug Blocks: 782956, 835959    

Description Vincent Danen 2012-01-18 17:34:43 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2012-0781 to
the following vulnerability:

Name: CVE-2012-0781
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0781
Assigned: 20120118
Reference: http://archives.neohapsis.com/archives/bugtraq/2012-01/0092.html
Reference: http://www.exploit-db.com/exploits/18370/
Reference: http://cxsecurity.com/research/103

The tidy_diagnose function in PHP 5.3.8 might allow remote attackers
to cause a denial of service (NULL pointer dereference and application
crash) via crafted input to an application that attempts to perform
Tidy::diagnose operations on invalid objects, a different
vulnerability than CVE-2011-4153.
Comment 1 Vincent Danen 2012-01-18 17:40:33 EST
This should be corrected in 5.3.9, as per this note in the PHP 5.3.9 changelog:

Fixed bug #54682 (Tidy::diagnose() NULL pointer dereference). (Maksymilian Arciemowicz, Felipe)

The upstream commit to fix is here:

Comment 2 Huzaifa S. Sidhpurwala 2012-02-06 01:44:38 EST
This issue affects the version of php as shipped with Red Hat Enterprise Linux 6.

This issue did not affect the version of php as shipped with Red Hat Enterprise Linux 4 and 5. This issue did not affect the version of php53 as shipped with Red Hat Enterprise Linux 5. Since neither of these packages ship the standard PHP module providing tidy library support.

This issue did not affect the version of php as shipped with Fedora 15 and Fedora 16.
Comment 5 errata-xmlrpc 2012-06-27 11:52:51 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:1046 https://rhn.redhat.com/errata/RHSA-2012-1046.html