Bug 690894 - (CVE-2011-1467) CVE-2011-1467 php: NumberFormatter: set a symbol value crash (DoS) on bogus values
CVE-2011-1467 php: NumberFormatter: set a symbol value crash (DoS) on bogus ...
Status: CLOSED DUPLICATE of bug 660382
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
unspecified Severity unspecified
: ---
: ---
Assigned To: Red Hat Product Security
public=20101207,reported=20101207,sou...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2011-03-25 14:00 EDT by Jan Lieskovsky
Modified: 2015-08-19 05:09 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-03-25 14:13:44 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2011-03-25 14:00:43 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2011-1467 to
the following vulnerability:

Unspecified vulnerability in the NumberFormatter::setSymbol (aka
numfmt_set_symbol) function in the Intl extension in PHP before 5.3.6
allows context-dependent attackers to cause a denial of service
(application crash) via an invalid argument, a related issue to
CVE-2010-4409.

References:
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1467
[2] http://bugs.php.net/bug.php?id=53512
[3] http://www.php.net/ChangeLog-5.php

Upstream patch:
[4] http://svn.php.net/viewvc/?view=revision&revision=306154
[5] http://svn.php.net/viewvc/?view=revision&revision=306157
    (test case)
Comment 1 Jan Lieskovsky 2011-03-25 14:02:26 EDT
Public PoC (from [2]):
======================
numfmt_set_symbol(numfmt_create("en", NumberFormatter::PATTERN_DECIMAL),
2147483648, "");
Comment 2 Jan Lieskovsky 2011-03-25 14:04:07 EDT
This issue did NOT affect the versions of the php package, as shipped
with Red Hat Enterprise Linux 4 and 5.

--

This issue affects the version of the php53 package, as shipped with
Red Hat Enterprise Linux 5.

This issue affects the version of the php package, as shipped with
Red Hat Enterprise Linux 6.

--

This issue does not affect the versions of the php package, as
shipped with Fedora release of 13 and 14 (particular package updates
have been already scheduled).
Comment 3 Tomas Hoger 2011-03-25 14:13:44 EDT
This has already been discussed in bug #660382.

*** This bug has been marked as a duplicate of bug 660382 ***
Comment 4 Vincent Danen 2011-07-27 12:32:52 EDT
Statement:

This issue did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 4 and 5.  The getSymbol() and setSymbol() functions are unlikely to ever receive untrusted input as an $attr argument, and it is even less likely that they would receive such input when only a small set of pre-defined constants is expected.  As a result, this flaw can only be triggered by the script author and cannot be used to cross trust boundaries. The Red Hat Security Response Team does not consider it to be security-relevant.

Note You need to log in before you can comment on or make changes to this bug.