~ubuntu-security/ubuntu-cve-tracker/master

PublicDateAtUSN: 2008-08-14
PublicDate: 2008-08-14
Candidate: CVE-2008-3659
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3659
 https://bugs.launchpad.net/ubuntu/+source/php5/+bug/286851
 http://www.ubuntu.com/usn/usn-720-1
Description:
 Buffer overflow in the memnstr function in PHP 4.4.x before 4.4.9 and PHP
 5.6 through 5.2.6 allows context-dependent attackers to cause a denial of
 service (crash) and possibly execute arbitrary code via the delimiter
 argument to the explode function.  NOTE: the scope of this issue is limited
 since most applications would not use an attacker-controlled delimiter, but
 local attacks against safe_mode are feasible.
Ubuntu-Description:
Notes:
 jdstrand> per Debian, php5 -d memory_limit=256M -r \
  '$res = explode(str_repeat("A",145999999),1);'
 (From upstream's ext/standard/tests/strings/explode_bug.phpt)
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499988
Priority: medium
Discovered-by:
Assigned-to:

Patches_php4:
upstream_php4: needs-triage
dapper_php4: ignored (reached end-of-life)
feisty_php4: DNE
gutsy_php4: DNE
hardy_php4: DNE
intrepid_php4: DNE
jaunty_php4: DNE
karmic_php4: DNE
devel_php4: DNE

Patches_php5:
 vendor: http://www.debian.org/security/2008/dsa-1647
 vendor: http://patch-tracking.debian.net/patch/series/view/php5/5.2.0-8+etch13/139-CVE-2008-3659.patch
 upstream: http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_operators.h?r1=1.94.2.4.2.11&r2=1.94.2.4.2.12&view=patch
 upstream: http://cvs.php.net/viewvc.cgi/php-src/ext/standard/tests/strings/explode_bug.phpt?hideattic=1&r1=1.1&r2=1.1.2.1 (test)
upstream_php5: needs-triage
dapper_php5: released (5.1.2-1ubuntu3.13)
feisty_php5: needed (reached end-of-life)
gutsy_php5: released (5.2.3-1ubuntu6.5)
hardy_php5: released (5.2.4-2ubuntu5.5)
intrepid_php5: released (5.2.6-2ubuntu4.1)
jaunty_php5: not-affected (5.2.6.dfsg.1-3ubuntu2)
karmic_php5: not-affected (5.2.6.dfsg.1-3ubuntu2)
devel_php5: not-affected (5.2.6.dfsg.1-3ubuntu2)