Red Hat Bugzilla – Bug 689365
CVE-2011-1464 php: Crash by retrieving string value of a variable, when high precision used
Last modified: 2012-05-15 12:00:01 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2011-1464 to the following vulnerability: Buffer overflow in the strval function in PHP before 5.3.6, when the precision configuration option has a large value, might allow context-dependent attackers to cause a denial of service (application crash) via a small numerical value in the argument. References: [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1464 [2] http://bugs.php.net/bug.php?id=54055 [3] http://www.php.net/ChangeLog-5.php [4] http://www.php.net/archive/2011.php [5] http://www.php.net/releases/5_3_6.php
Public PoC (from [2]): ====================== <?php for($i = 500; $i <= 1074; $i++) { ini_set('precision', $i); print "$i\n"; strval(pow(2, -1074)); }
Fix upstream: http://svn.php.net/viewvc?view=revision&revision=308525
This issue did NOT affect the versions of the php package, as shipped with Red Hat Enterprise Linux 4 and 5. -- This issue affects the versions of the php53 package, as shipped with Red Hat Enterprise Linux 5. This issue affects the versions of the php package, as shipped with Red Hat Enterprise Linux 6. -- This issue affects the versions of the php package, as shipped with Fedora release of 13 and 14.
Statement: Red Hat does not consider this flaw to be a security issue. It is improbable that a script would accept untrusted user input or unvalidated script input data to the strval() function. Input passed to the functions is therefore under the full control of the script author and no trust boundary is crossed. As well, an administrator would have to excessively increase the precision settings in order to trigger this flaw.
Well, it is likely that especially a PHP script accepts untrusted user input, but looks like you are trusting developers writing PHP code more than me.