Red Hat Bugzilla – Bug 670806
CVE-2010-4699 php: iconv_mime_decode_headers skips headers using unsupported encoding
Last modified: 2015-08-19 05:02:58 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-4699 to the following issue: The iconv_mime_decode_headers function in the Iconv extension in PHP before 5.3.4 does not properly handle encodings that are unrecognized by the iconv and mbstring (aka Multibyte String) implementations, which allows remote attackers to trigger an incomplete output array, and possibly bypass spam detection or have unspecified other impact, via a crafted Subject header in an e-mail message, as demonstrated by the ks_c_5601-1987 character set. References: http://bugs.php.net/52941 http://www.php.net/ChangeLog-5.php#5.3.4 http://coding.derkeiler.com/Archive/PHP/php.general/2007-04/msg00605.html Upstream commit: http://svn.php.net/viewvc/?view=revision&revision=303890
This looks more like regular bug / enhancement rather than security flaw. Upstream did not consider this to be security fix, security impacts mentioned the CVE description are fairly vague. Checking with the upstream SVN test case, this bug occurs when iconv_mime_decode_headers is called with ICONV_MIME_DECODE_CONTINUE_ON_ERROR flag, i.e. when it's asked to continue parsing headers even when some error was detected. So it's asked to perform a best effort recovery for the malformed input. When called without this flag set, iconv_mime_decode_headers returns false. Fixing the code that tries to recover form errors is a bug fix, but it does not seem to qualify as a security fix. Joe, do you possibly see what I may be missing?
No, I don't see any security issue there, I presume it is extrapolated from "skipping spam checks". Even upstream didn't list this under the security fixes in the 5.3.4 changes.
Statement: Red Hat does not consider this issue to be a security vulnerability, rather consider this to be a non-security bug.