Bug 1573464 - Iconv stream filter EXT/ICONV/ICONV.C denial of service (CVE-2018-10546)
Summary: Iconv stream filter EXT/ICONV/ICONV.C denial of service (CVE-2018-10546)
Status: CLOSED DUPLICATE of bug 1578432
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: php
Version: 7.4
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Remi Collet
QA Contact: RHEL Stacks Subsystem QE
Depends On:
Blocks: 1574650
TreeView+ depends on / blocked
Reported: 2018-05-01 11:06 UTC by Pim Rupert
Modified: 2021-01-14 09:27 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-07-02 07:17:29 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Pim Rupert 2018-05-01 11:06:10 UTC
Description of problem:

A vulnerability was found in PHP up to 5.6.35/7.0.29/7.1.16/7.2.4. It has been classified as problematic. Affected is an unknown function of the file ext/iconv/iconv.c of the component iconv Stream Filter. The manipulation with an unknown input leads to a denial of service vulnerability (Loop). CWE is classifying the issue as CWE-835. This is going to have an impact on availability.

The weakness was shared 04/29/2018. The advisory is shared for download at php.net (http://php.net/ChangeLog-5.php). This vulnerability is traded as CVE-2018-10546 since 04/29/2018. It is possible to launch the attack remotely. The exploitation doesn't require any form of authentication. There are known technical details, but no exploit is available.

Upgrading to version 5.6.36, 7.0.30, 7.1.17 or 7.2.5 eliminates this vulnerability.


Please backport the fix to PHP 5.4 packages on EL 7.

Comment 4 Joe Orton 2019-07-02 07:17:29 UTC

*** This bug has been marked as a duplicate of bug 1578432 ***

Note You need to log in before you can comment on or make changes to this bug.