Bug 1132589 (CVE-2014-3597) - CVE-2014-3597 php: multiple buffer over-reads in php_parserr
Summary: CVE-2014-3597 php: multiple buffer over-reads in php_parserr
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-3597
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1114521 1140017 1140018 1140023 1140026 1140027 1149762 1149771
Blocks: 1108453 1138881 1149858
TreeView+ depends on / blocked
 
Reported: 2014-08-21 15:26 UTC by Vincent Danen
Modified: 2021-06-01 12:54 UTC (History)
6 users (show)

Fixed In Version: php 5.5.16, php 5.4.32
Doc Type: Bug Fix
Doc Text:
Multiple buffer over-read flaws were found in the php_parserr() function of PHP. A malicious DNS server or a man-in-the-middle attacker could possibly use this flaw to crash a PHP application that used the dns_get_record() function to perform a DNS query.
Clone Of:
Environment:
Last Closed: 2014-10-31 09:49:15 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:1326 0 normal SHIPPED_LIVE Moderate: php53 and php security update 2014-09-30 09:14:20 UTC
Red Hat Product Errata RHSA-2014:1327 0 normal SHIPPED_LIVE Moderate: php security update 2014-09-30 13:09:42 UTC
Red Hat Product Errata RHSA-2014:1765 0 normal SHIPPED_LIVE Important: php54-php security update 2014-10-30 23:45:24 UTC
Red Hat Product Errata RHSA-2014:1766 0 normal SHIPPED_LIVE Important: php55-php security update 2014-10-30 23:45:12 UTC

Description Vincent Danen 2014-08-21 15:26:18 UTC 
During the testing of the patch to fix CVE-2014-4049 (bug 1108447) in PHP, other possible buffer overflows were discovered [1] that led to a segfault in dns_get_record():

- code rely on dlen (from server response) without overflow check
- code call dn_expand without sending real "end" of answer

It has been corrected upstream [2] and a reproducer to test is available [3].  This will be fixed in upstream 5.4.32 (currently unreleased).


[1] https://bugs.php.net/bug.php?id=67717
[2] https://github.com/php/php-src/commit/2fefae47716d501aec41c1102f3fd4531f070b05
[3] https://bugs.php.net/patch-display.php?bug=67717&patch=repro.patch&revision=1406726280
Comment 1 Vincent Danen 2014-08-22 18:58:11 UTC 
This is corrected in upstream PHP 5.5.16 and 5.4.32:

http://php.net/ChangeLog-5.php#5.5.16
http://php.net/ChangeLog-5.php#5.4.32
Comment 6 Remi Collet 2014-09-11 06:35:58 UTC 
PHP commit http://git.php.net/?p=php-src.git;a=commit;h=2fefae47716d501aec41c1102f3fd4531f070b05
Comment 7 Tomas Hoger 2014-09-11 08:30:48 UTC 
This does not seem to really qualify as "incomplete CVE-2014-4049 fix".  The fix under CVE-2014-4049 addressed buffer over-write (with buffer over-read happening at the same time) that could lead to heap memory corruption.  This additional fix adds additional checks against buffer over-reads, which are not limited to the processing of the TXT DNS resource records.

Adjusting CVSSv2 score and impact rating, as it should not match score and rating of the CVE-2014-4049 issue.
Comment 9 Martin Prpič 2014-09-25 12:14:37 UTC 
IssueDescription:

Multiple buffer over-read flaws were found in the php_parserr() function of PHP. A malicious DNS server or a man-in-the-middle attacker could possibly use this flaw to crash a PHP application that used the dns_get_record() function to perform a DNS query.
Comment 10 errata-xmlrpc 2014-09-30 05:15:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 5

Via RHSA-2014:1326 https://rhn.redhat.com/errata/RHSA-2014-1326.html
Comment 11 errata-xmlrpc 2014-09-30 09:10:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2014:1327 https://rhn.redhat.com/errata/RHSA-2014-1327.html
Comment 14 errata-xmlrpc 2014-10-30 19:46:38 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections 1 for Red Hat Enterprise Linux 7
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.5 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6

Via RHSA-2014:1766 https://rhn.redhat.com/errata/RHSA-2014-1766.html
Comment 15 errata-xmlrpc 2014-10-30 19:55:03 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections 1 for Red Hat Enterprise Linux 7
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.5 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6

Via RHSA-2014:1765 https://rhn.redhat.com/errata/RHSA-2014-1765.html
Comment 16 Tomas Hoger 2014-10-31 09:49:15 UTC 
Statement:

This issue did not affect the versions of php as shipped with Red Hat Enterprise Linux 5.
Note You need to log in before you can comment on or make changes to this bug.