It was reported that functions defined in ext/standard/exec.c which work with strings (escapeshellcmd, eschapeshellarg, shell_exec), all ignore the length of the PHP string and work with NULL termination instead. If the string is not NULL terminated (some function uses RETURN_STRINGL(buf, len, 0); where buf is not NULL terminated), running these functions will cause buffer overflow. Upstream bug: https://bugs.php.net/bug.php?id=71039 Upstream patch: https://git.php.net/?p=php-src.git;a=commit;h=c527549e899bf211aac7d8ab5ceb1bdfedf07f14
Created php tracking bugs for this issue: Affects: fedora-all [bug 1305565]
Upstream does not believe this is real security problem. PHP does not normally create strings which are not NULL terminated, making it unlikely to have untrusted, not NULL terminated inputs passed to the affected escaping functions. Therefore, there's currently no plan to backport this fix to PHP versions in Red Hat products.