Bug 733744 (CVE-2011-3268) - CVE-2011-3268 PHP crash in crypt() from long salt
Summary: CVE-2011-3268 PHP crash in crypt() from long salt
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2011-3268
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: public=20110817,reported=20110825,sou...
Depends On:
Blocks: 732517
TreeView+ depends on / blocked
 
Reported: 2011-08-26 16:40 UTC by Josh Bressers
Modified: 2019-06-08 18:54 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-09-19 06:21:16 UTC


Attachments (Terms of Use)

Description Josh Bressers 2011-08-26 16:40:28 UTC
Buffer overflow in the crypt function in PHP before 5.3.7 allows
context-dependent attackers to have an unspecified impact via a long
salt argument, a different vulnerability than CVE-2011-2483.

Comment 1 Huzaifa S. Sidhpurwala 2011-09-19 05:56:01 UTC
Reference:
https://bugs.php.net/bug.php?id=55439

Upstream patch:
http://svn.php.net/viewvc/?view=revision&revision=315338

Patch for php-5.3 and php-5.4:
http://svn.php.net/viewvc?view=revision&revision=315218

Comment 2 Huzaifa S. Sidhpurwala 2011-09-19 06:20:33 UTC
This vuln. will arise only either or both of the patches below have been applied:

http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/standard/php_crypt_r.c?r1=313615&r2=314434

Here strcat is replaced by strncat

http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/standard/php_crypt_r.c?r1=314434&r2=314438

Here strncat is replaced by strlcat

And finally the patch to correct this issue reverts strlcat to strcat.

Statement:

Not vulnerable. This issue did not affect the versions of php as shipped with Red Hat Enterprise Linux 4, 5, or 6. This issue did not affect the version of php53 as shipped with Red Hat Enterprise Linux 5.


Note You need to log in before you can comment on or make changes to this bug.