Bug 667806 (CVE-2010-4645) - CVE-2010-4645 php: hang on numeric value 2.2250738585072011e-308 with x87 fpu
Summary: CVE-2010-4645 php: hang on numeric value 2.2250738585072011e-308 with x87 fpu
Status: CLOSED ERRATA
Alias: CVE-2010-4645
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20101230,repor...
Keywords: Security
Depends On: 670439 670461 670463 670464
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-01-06 20:30 UTC by Vincent Danen
Modified: 2019-06-08 18:42 UTC (History)
6 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2011-02-04 09:05:59 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:0195 normal SHIPPED_LIVE Moderate: php security update 2011-02-03 18:56:12 UTC
Red Hat Product Errata RHSA-2011:0196 normal SHIPPED_LIVE Moderate: php53 security update 2011-02-03 19:16:54 UTC

Description Vincent Danen 2011-01-06 20:30:39 UTC
A flaw in how PHP handled the numeric value 2.2250738585072011e-308 was reported [1].  If a script were to assign this value to a variable, it could cause PHP to hang (infinite loop).  This issue has been fixed in upstream PHP [2] 5.2.17 and 5.3.5.

[1] http://bugs.php.net/53632
[2] http://svn.php.net/viewvc?view=revision&revision=307095

Comment 1 Vincent Danen 2011-01-06 20:56:55 UTC
I have not been able to reproduce this on RHEL4 (4.3.9) or RHEL5 (5.1.6) on x86.  I have reproduced it on RHEL6 (5.3.2) and Fedora 14 (5.3.4), both x86.  It does not reproduce on Fedora 14 x86_64, so this is x86-only.

Comment 2 Michał Piotrowski 2011-01-06 21:11:38 UTC
Please add also

r307168 | pajoye | 2011-01-06 18:08:46 +0100 (czw) | 1 linia

- fix vc6 random behavior for Fix bug #53632 with x87 fpu

Comment 3 Vincent Danen 2011-01-07 00:24:29 UTC
Note that upstream has put up a checking script to see if your system is vulnerable:  http://www.php.net/distributions/test_bug53632.txt

Comment 4 Joe Orton 2011-01-07 08:54:21 UTC
Michal, r307168 is MSVC-specific and won't have any effect on Linux.

Comment 16 errata-xmlrpc 2011-02-03 18:56:33 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0195 https://rhn.redhat.com/errata/RHSA-2011-0195.html

Comment 17 errata-xmlrpc 2011-02-03 19:17:11 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:0196 https://rhn.redhat.com/errata/RHSA-2011-0196.html

Comment 18 Vincent Danen 2011-02-03 19:28:28 UTC
Statement:

This issue leads to a temporary denial of service (high CPU consumption) when a PHP script handles numeric values from untrusted user input. It does not affect the versions of PHP as shipped with Red Hat Enterprise Linux 3, 4 or 5.  It  did affect the PHP 5.3 (php53) package on Red Hat Enterprise Linux 5.


Note You need to log in before you can comment on or make changes to this bug.