Bug 1298839 (CVE-2016-1904) - CVE-2016-1904 php: heap buffer overflow in escapeshell functions
Summary: CVE-2016-1904 php: heap buffer overflow in escapeshell functions
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2016-1904
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1298843
Blocks: 1298833
TreeView+ depends on / blocked
 
Reported: 2016-01-15 09:07 UTC by Andrej Nemec
Modified: 2019-09-29 13:42 UTC (History)
14 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2016-01-22 20:21:16 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
PHP Bug Tracker 71270 0 None None None 2016-01-22 20:10:05 UTC

Description Andrej Nemec 2016-01-15 09:07:46 UTC 
There exist a heap-based buffer overflow that allows one to write a user
tainted data past an allocated buffer. This vulnerability lies in the
following functions:

escapeshellarg
escapeshellcmd

On a default php installation, the memory limit is set to 128MB and this
vulnerability is not triggerable. The analysis shows that this is
triggerable when memory limit is roughly > 1024mb.

Upstream bug:

https://bugs.php.net/bug.php?id=71270

Original report with reproducer:

http://seclists.org/oss-sec/2016/q1/98

CVE assignment:

http://seclists.org/oss-sec/2016/q1/100

Patch:

https://github.com/php/php-src/commit/2871c70efaaaa0f102557a17c727fd4d5204dd4b
Comment 1 Andrej Nemec 2016-01-15 09:09:00 UTC 
Created php tracking bugs for this issue:

Affects: fedora-all [bug 1298843]
Comment 2 Remi Collet 2016-01-15 09:20:10 UTC 
This patch affects PHP 7, so none of the available PHP version in RHEL or RHSCL is affected.
Comment 3 Tomas Hoger 2016-01-22 20:21:16 UTC 
Apparently introduced in:

https://github.com/php/php-src/commit/70ddc853fd4757004ac488e6ee892897bb6f395a

As noted in comment 2, this did not affect any PHP version as shipped in Red Hat Enterprise Linux and Red Hat Software Collections.
Note You need to log in before you can comment on or make changes to this bug.