Red Hat Bugzilla – Bug 306821
CVE-2007-3294 php tidy extension buffer overflow
Last modified: 2007-09-26 11:48:58 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-3294 to the following vulnerability: Multiple buffer overflows in libtidy, as used in the Tidy extension for PHP 5.2.3 and possibly other products, allow context-dependent attackers to execute arbitrary code via (1) a long second argument to the tidy_parse_string function or (2) an unspecified vector to the tidy_repair_string function. NOTE: this might only be an issue in environments where vsnprintf is implemented as a wrapper for vsprintf. References: http://www.milw0rm.com/exploits/4080 http://secunia.com/advisories/25735 http://xforce.iss.net/xforce/xfdb/34931
This issue does not affect php as shipped in Red Hat Enterprise Linux 2.1, 3, 4, or 5, as those packages are not built with libtidy support.
php-tidy in Fedora does not demonstrate any problems with large arguments passed to tidy functions.