Bug 1132589 (CVE-2014-3597) - CVE-2014-3597 php: multiple buffer over-reads in php_parserr
Summary: CVE-2014-3597 php: multiple buffer over-reads in php_parserr
Status: CLOSED ERRATA
Alias: CVE-2014-3597
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,public=20140730,reported=2...
Keywords: Security
Depends On: 1114521 1140017 1140018 1140023 1140026 1140027 1149762 1149771
Blocks: 1108453 1138881 1149858
TreeView+ depends on / blocked
 
Reported: 2014-08-21 15:26 UTC by Vincent Danen
Modified: 2018-12-09 18:25 UTC (History)
5 users (show)

Fixed In Version: php 5.5.16, php 5.4.32
Doc Type: Bug Fix
Doc Text:
Multiple buffer over-read flaws were found in the php_parserr() function of PHP. A malicious DNS server or a man-in-the-middle attacker could possibly use this flaw to crash a PHP application that used the dns_get_record() function to perform a DNS query.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-10-31 09:49:15 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:1326 normal SHIPPED_LIVE Moderate: php53 and php security update 2014-09-30 09:14:20 UTC
Red Hat Product Errata RHSA-2014:1327 normal SHIPPED_LIVE Moderate: php security update 2014-09-30 13:09:42 UTC
Red Hat Product Errata RHSA-2014:1765 normal SHIPPED_LIVE Important: php54-php security update 2014-10-30 23:45:24 UTC
Red Hat Product Errata RHSA-2014:1766 normal SHIPPED_LIVE Important: php55-php security update 2014-10-30 23:45:12 UTC

Description Vincent Danen 2014-08-21 15:26:18 UTC
During the testing of the patch to fix CVE-2014-4049 (bug 1108447) in PHP, other possible buffer overflows were discovered [1] that led to a segfault in dns_get_record():

- code rely on dlen (from server response) without overflow check
- code call dn_expand without sending real "end" of answer

It has been corrected upstream [2] and a reproducer to test is available [3].  This will be fixed in upstream 5.4.32 (currently unreleased).


[1] https://bugs.php.net/bug.php?id=67717
[2] https://github.com/php/php-src/commit/2fefae47716d501aec41c1102f3fd4531f070b05
[3] https://bugs.php.net/patch-display.php?bug=67717&patch=repro.patch&revision=1406726280

Comment 1 Vincent Danen 2014-08-22 18:58:11 UTC
This is corrected in upstream PHP 5.5.16 and 5.4.32:

http://php.net/ChangeLog-5.php#5.5.16
http://php.net/ChangeLog-5.php#5.4.32

Comment 7 Tomas Hoger 2014-09-11 08:30:48 UTC
This does not seem to really qualify as "incomplete CVE-2014-4049 fix".  The fix under CVE-2014-4049 addressed buffer over-write (with buffer over-read happening at the same time) that could lead to heap memory corruption.  This additional fix adds additional checks against buffer over-reads, which are not limited to the processing of the TXT DNS resource records.

Adjusting CVSSv2 score and impact rating, as it should not match score and rating of the CVE-2014-4049 issue.

Comment 8 Francisco Alonso 2014-09-22 10:06:54 UTC
Acknowledgments:

This issue was discovered by David Kutálek of Red Hat BaseOS QE.

Comment 9 Martin Prpič 2014-09-25 12:14:37 UTC
IssueDescription:

Multiple buffer over-read flaws were found in the php_parserr() function of PHP. A malicious DNS server or a man-in-the-middle attacker could possibly use this flaw to crash a PHP application that used the dns_get_record() function to perform a DNS query.

Comment 10 errata-xmlrpc 2014-09-30 05:15:12 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 5

Via RHSA-2014:1326 https://rhn.redhat.com/errata/RHSA-2014-1326.html

Comment 11 errata-xmlrpc 2014-09-30 09:10:14 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2014:1327 https://rhn.redhat.com/errata/RHSA-2014-1327.html

Comment 14 errata-xmlrpc 2014-10-30 19:46:38 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections 1 for Red Hat Enterprise Linux 7
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.5 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6

Via RHSA-2014:1766 https://rhn.redhat.com/errata/RHSA-2014-1766.html

Comment 15 errata-xmlrpc 2014-10-30 19:55:03 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections 1 for Red Hat Enterprise Linux 7
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.5 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6

Via RHSA-2014:1765 https://rhn.redhat.com/errata/RHSA-2014-1765.html

Comment 16 Tomas Hoger 2014-10-31 09:49:15 UTC
Statement:

This issue did not affect the versions of php as shipped with Red Hat Enterprise Linux 5.


Note You need to log in before you can comment on or make changes to this bug.