During the testing of the patch to fix CVE-2014-4049 (bug 1108447) in PHP, other possible buffer overflows were discovered [1] that led to a segfault in dns_get_record(): - code rely on dlen (from server response) without overflow check - code call dn_expand without sending real "end" of answer It has been corrected upstream [2] and a reproducer to test is available [3]. This will be fixed in upstream 5.4.32 (currently unreleased). [1] https://bugs.php.net/bug.php?id=67717 [2] https://github.com/php/php-src/commit/2fefae47716d501aec41c1102f3fd4531f070b05 [3] https://bugs.php.net/patch-display.php?bug=67717&patch=repro.patch&revision=1406726280
This is corrected in upstream PHP 5.5.16 and 5.4.32: http://php.net/ChangeLog-5.php#5.5.16 http://php.net/ChangeLog-5.php#5.4.32
PHP commit http://git.php.net/?p=php-src.git;a=commit;h=2fefae47716d501aec41c1102f3fd4531f070b05
This does not seem to really qualify as "incomplete CVE-2014-4049 fix". The fix under CVE-2014-4049 addressed buffer over-write (with buffer over-read happening at the same time) that could lead to heap memory corruption. This additional fix adds additional checks against buffer over-reads, which are not limited to the processing of the TXT DNS resource records. Adjusting CVSSv2 score and impact rating, as it should not match score and rating of the CVE-2014-4049 issue.
IssueDescription: Multiple buffer over-read flaws were found in the php_parserr() function of PHP. A malicious DNS server or a man-in-the-middle attacker could possibly use this flaw to crash a PHP application that used the dns_get_record() function to perform a DNS query.
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 Via RHSA-2014:1326 https://rhn.redhat.com/errata/RHSA-2014-1326.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2014:1327 https://rhn.redhat.com/errata/RHSA-2014-1327.html
This issue has been addressed in the following products: Red Hat Software Collections 1 for Red Hat Enterprise Linux 7 Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.5 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6 Via RHSA-2014:1766 https://rhn.redhat.com/errata/RHSA-2014-1766.html
This issue has been addressed in the following products: Red Hat Software Collections 1 for Red Hat Enterprise Linux 7 Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.5 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6 Via RHSA-2014:1765 https://rhn.redhat.com/errata/RHSA-2014-1765.html
Statement: This issue did not affect the versions of php as shipped with Red Hat Enterprise Linux 5.