The url parsing functions of the PECL HTTP extension allow overflowing a buffer with data originating from an arbitrary HTTP request. Affected are the parse_*() functions in php_http_url.c that are called from within php_http_url_parse(). Other parsing functions were not tested but might be affected as well. The problem occurs when non-printable characters contained in an URL are converted into percent-encoding. The state->offset used in these functions is incremented without sufficient checks regarding the size of the allocated state->buffer. Upstream bug: https://bugs.php.net/bug.php?id=71719 Upstream patch: https://github.com/m6w6/ext-http/commit/3724cd76a28be1d6049b5537232e97ac567ae1f5 CVE assignment: http://seclists.org/oss-sec/2016/q2/622
Created php-pecl-http tracking bugs for this issue: Affects: fedora-all [bug 1351194] Affects: epel-all [bug 1351195]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.