Integer overflow was reported in PHP [1]. The commit that fixes this, with a PoC can be found here: https://github.com/MegaManSec/php-src/commit/a538d2f5605798422f2746636ecdc300f8ebcaa1 [1]: http://seclists.org/oss-sec/2015/q1/190
Created php tracking bugs for this issue: Affects: fedora-all [bug 1185897]
Sorry, but I don't see how this can be a security bug. Bad input => bad result. No crash.
NIST has changed the status of this security issue: Original release date: 03/30/2015 Last revised: 03/30/2015 Source: US-CERT/NIST Impact CVSS Severity (version 2.0): CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) Impact Subscore: 6.4 Exploitability Subscore: 10.0 CVSS Version 2 Metrics: Access Vector: Network exploitable Access Complexity: Low Authentication: Not required to exploit Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service (see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1353) We need a PHP update from Red Hat for RHEL 6 and RHEL 7 that addresses this issue. Will you re-open this bug and provide an update that fixes this vulnerability?
This CVE assignment was officially rejected with the following explanation: This candidate was withdrawn by its CNA. Further investigation showed that it cannot be considered a security issue in the originally named product because of that product's specification.