Re: CVE request: PHP xmlrpc date_from_ISO8601() buffer overflow (in php < 5.2.7)

[cve-assign () mitre org]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> While looking at the recent PHP CVE-2014-3668, a worse problem was
> spotted in the same code that affected older PHP versions.  The
> date_from_ISO8601() function optionally copied input to a fixed size
> local buffer without performing any bounds checks:
>
> http://git.php.net/?p=php-src.git;a=blob;f=ext/xmlrpc/libxmlrpc/xmlrpc.c;h=d82f270#l168
>
> The issue was reported and corrected via:
>
> https://bugs.php.net/bug.php?id=45226
> http://git.php.net/?p=php-src.git;a=commit;h=c818d0d01341907fee82bdb81cab07b7d93bb9db
>
> The fix was included in PHP 5.2.7:
>
> http://php.net/ChangeLog-5.php#5.2.7
>
>   Fixed bugs #45226, #18916 (xmlrpc_set_type() segfaults and wrong behavior
>   with valid ISO8601 date string). (Jeff Lawsons)
>
> It wasn't flagged as security fix, which seems incorrect to me.  This
> overflow can be triggered by a malicious XML passed to xmlrpc_decode*
> PHP functions.

Use CVE-2014-8626.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJUW1xjAAoJEKllVAevmvmsOowIAIsXbqHmKb2XiWPEulUL+DS8
rokejI8IfqNaRYwlAs8LPOkzB5zsKnbSHtFgVhOCaOXgfASPSU5IuL2yyxami2rW
WuNmzW3vU8U5lBkVe11km8OqO2Db9z9KtDyuBOVG1hCFbzNTTljwwzri4lTpGzxN
vUTLzaBBW3DCFp0ADEET2ua54HJLbzRxDRHbK9L4HuHfKao/PzuAZz02+xv6LYgU
u+oq+CKHYnqfOMUomaOy1KPeYEEL1UGhCoCqmdR7geKE/KoEDVI+ueTwM+mZKo9Z
0IaE+Wh4gZV88/TkthzRcnLdqqSdCKpJCEEoUrvPTr+rpKXRp+rvhVOwx0+dKtg=
=mwMi
-----END PGP SIGNATURE-----