Bug 782943 (CVE-2011-4153) - CVE-2011-4153 php: zend_strndup() NULL pointer dereference may cause DoS
Summary: CVE-2011-4153 php: zend_strndup() NULL pointer dereference may cause DoS
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2011-4153
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 819855 819856 830727 830728 830729 830730
Blocks: 782956 835958 835959 835960
TreeView+ depends on / blocked
 
Reported: 2012-01-18 22:21 UTC by Vincent Danen
Modified: 2019-09-29 12:50 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-06-27 17:16:35 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2012:1045 0 normal SHIPPED_LIVE Moderate: php security update 2012-06-27 19:48:39 UTC
Red Hat Product Errata RHSA-2012:1046 0 normal SHIPPED_LIVE Moderate: php security update 2012-06-27 19:48:23 UTC
Red Hat Product Errata RHSA-2012:1047 0 normal SHIPPED_LIVE Moderate: php53 security update 2012-06-27 19:47:13 UTC

Description Vincent Danen 2012-01-18 22:21:29 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2011-4153 to
the following vulnerability:

Name: CVE-2011-4153
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4153
Assigned: 20111021
Reference: http://archives.neohapsis.com/archives/bugtraq/2012-01/0092.html
Reference: http://www.exploit-db.com/exploits/18370/
Reference: http://cxsecurity.com/research/103

PHP 5.3.8 does not always check the return value of the zend_strndup
function, which might allow remote attackers to cause a denial of
service (NULL pointer dereference and application crash) via crafted
input to an application that performs strndup operations on untrusted
string data, as demonstrated by the define function in
zend_builtin_functions.c, and unspecified functions in
ext/soap/php_sdl.c, ext/standard/syslog.c, ext/standard/browscap.c,
ext/oci8/oci8.c, ext/com_dotnet/com_typeinfo.c, and
main/php_open_temporary_file.c.
Comment 1 Vincent Danen 2012-01-18 22:37:55 UTC 
I don't see in the 5.3.9 changelog that this has been corrected, so Fedora may indeed be affected by this.
Comment 2 Vincent Danen 2012-01-18 22:43:36 UTC 
The upstream bug is here:

https://bugs.php.net/bug.php?id=55748

And the upstream commit for the 5.3 branch is here:

http://svn.php.net/viewvc/?view=revision&revision=319457
Comment 3 Vincent Danen 2012-01-18 22:50:00 UTC 
Also this commit is relevant, the above is just for oci8.c.

http://svn.php.net/viewvc?view=revision&revision=319442

Looks like the fix from r319457 made it into 5.3.x, but the fix from r319442 did not, or did not fully, looking at:

http://svn.php.net/viewvc/php/php-src/tags/php_5_3_9/ext/com_dotnet/com_typeinfo.c?view=log
Comment 4 Remi Collet 2012-01-19 05:22:39 UTC 
oci8 (Oracle) and com_dotnet (Windows) extensions are not available in fedora
Comment 8 errata-xmlrpc 2012-06-27 15:52:14 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:1047 https://rhn.redhat.com/errata/RHSA-2012-1047.html
Comment 9 errata-xmlrpc 2012-06-27 15:52:48 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:1046 https://rhn.redhat.com/errata/RHSA-2012-1046.html
Comment 10 errata-xmlrpc 2012-06-27 15:54:04 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:1045 https://rhn.redhat.com/errata/RHSA-2012-1045.html
Note You need to log in before you can comment on or make changes to this bug.