SB2014020519 - Buffer over-read in php (Alpine package)
Published: February 5, 2014
Security Bulletin ID
SB2014020519
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Buffer over-read (CVE-ID: CVE-2013-6712)
The vulnerability allows a remote attacker to cause DoS condition.
The vulnerability exists due to the scan function in ext/date/lib/parse_iso_intervals.c in PHP through 5.5.6 does not properly restrict creation of DateInterval objects. A remote attacker can trigger heap-based buffer over-read and cause the service to crash via a crafted interval specification.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=4bac042f438038d28cfeec08b87ed83b44c4be04
- https://git.alpinelinux.org/aports/commit/?id=98c0c115fce1bf18f45a47ae7f0c86db3fb1e11f
- https://git.alpinelinux.org/aports/commit/?id=70ed1cdcd3092db0c6e2dd91aca27851ab8b6222
- https://git.alpinelinux.org/aports/commit/?id=430d2e5e023a5bf045ee81ed0f8c745fce900d24