[v2.7] php: remote DoS, Fileinfo component (CVE-2014-0237 CVE-2014-0238)
CVE-2014-0237 / CVE-2014-0238:
The cdf_unpack_summary_info function in cdf.c in the Fileinfo
component in PHP before 5.4.29 and 5.5.x before 5.5.13 allows remote
attackers to cause a denial of service (performance degradation) by
triggering many file_printf calls.
The cdf_read_property_info function in cdf.c in the Fileinfo component in PHP before 5.4.29 and 5.5.x before 5.5.13 allows remote attackers to cause a denial of service (infinite loop or out-of-bounds memory access) via a vector that (1) has zero length or (2) is too long.
•CONFIRM: http://www.php.net/ChangeLog-5.php
•CONFIRM: https://bugs.php.net/bug.php?id=67328
•CONFIRM:
https://github.com/file/file/commit/b8acc83781d5a24cc5101e525d15efe0482c280d
•CONFIRM: https://bugs.php.net/bug.php?id=67327
•CONFIRM:
https://github.com/file/file/commit/f97486ef5dc3e8735440edc4fc8808c63e1a3ef0
(from redmine: issue id 3023, created on 2014-06-10, closed on 2014-06-11)
- Relations:
- parent #3020 (closed)
- Changesets:
- Revision 5f553368 by Natanael Copa on 2014-06-10T15:45:26Z:
main/php: security upgrade to 5.5.13 (CVE-2014-0237,CVE-2014-0238)
fixes #3023