Bug 667806 (CVE-2010-4645) - CVE-2010-4645 php: hang on numeric value 2.2250738585072011e-308 with x87 fpu
Summary: CVE-2010-4645 php: hang on numeric value 2.2250738585072011e-308 with x87 fpu
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2010-4645
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 670439 670461 670463 670464
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-01-06 20:30 UTC by Vincent Danen
Modified: 2023-05-31 15:40 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-02-04 09:05:59 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:0195 0 normal SHIPPED_LIVE Moderate: php security update 2011-02-03 18:56:12 UTC
Red Hat Product Errata RHSA-2011:0196 0 normal SHIPPED_LIVE Moderate: php53 security update 2011-02-03 19:16:54 UTC

Description Vincent Danen 2011-01-06 20:30:39 UTC 
A flaw in how PHP handled the numeric value 2.2250738585072011e-308 was reported [1].  If a script were to assign this value to a variable, it could cause PHP to hang (infinite loop).  This issue has been fixed in upstream PHP [2] 5.2.17 and 5.3.5.

[1] http://bugs.php.net/53632
[2] http://svn.php.net/viewvc?view=revision&revision=307095
Comment 1 Vincent Danen 2011-01-06 20:56:55 UTC 
I have not been able to reproduce this on RHEL4 (4.3.9) or RHEL5 (5.1.6) on x86.  I have reproduced it on RHEL6 (5.3.2) and Fedora 14 (5.3.4), both x86.  It does not reproduce on Fedora 14 x86_64, so this is x86-only.
Comment 2 Michał Piotrowski 2011-01-06 21:11:38 UTC 
Please add also

r307168 | pajoye | 2011-01-06 18:08:46 +0100 (czw) | 1 linia

- fix vc6 random behavior for Fix bug #53632 with x87 fpu
Comment 3 Vincent Danen 2011-01-07 00:24:29 UTC 
Note that upstream has put up a checking script to see if your system is vulnerable:  http://www.php.net/distributions/test_bug53632.txt
Comment 4 Joe Orton 2011-01-07 08:54:21 UTC 
Michal, r307168 is MSVC-specific and won't have any effect on Linux.
Comment 16 errata-xmlrpc 2011-02-03 18:56:33 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0195 https://rhn.redhat.com/errata/RHSA-2011-0195.html
Comment 17 errata-xmlrpc 2011-02-03 19:17:11 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:0196 https://rhn.redhat.com/errata/RHSA-2011-0196.html
Comment 18 Vincent Danen 2011-02-03 19:28:28 UTC 
Statement:

This issue leads to a temporary denial of service (high CPU consumption) when a PHP script handles numeric values from untrusted user input. It does not affect the versions of PHP as shipped with Red Hat Enterprise Linux 3, 4 or 5.  It  did affect the PHP 5.3 (php53) package on Red Hat Enterprise Linux 5.
Note You need to log in before you can comment on or make changes to this bug.