Bug 1103661 - (CVE-2017-9120) VUL-0: CVE-2017-9120: php7 Integer overflow in mysqli_api.c:mysqli_real_escape_string()
(CVE-2017-9120)
VUL-0: CVE-2017-9120: php7 Integer overflow in mysqli_api.c:mysqli_real_escap...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/212145/
CVSSv3:RedHat:CVE-2017-9120:5.3:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-08-03 06:22 UTC by Marcus Meissner
Modified: 2021-09-14 12:46 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
CVE-2017-9120.php (175 bytes, application/x-php)
2018-08-03 06:26 UTC, Marcus Meissner
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2018-08-03 06:22:32 UTC
rh#1611898

PHP 7.x through 7.1.5 allows remote attackers to cause a denial of service
(buffer overflow and application crash) or possibly have unspecified other
impact via a long string because of an Integer overflow in
mysqli_real_escape_string.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1611898
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-9120
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9120
https://bugs.php.net/bug.php?id=74544
Comment 1 Marcus Meissner 2018-08-03 06:26:52 UTC
Created attachment 778808 [details]
CVE-2017-9120.php

QA REPRODUCER:

needs php mysql installed and the reproducer needs a valid mysql connection inside.

php CVE-2017-9120.php
Comment 2 Petr Gajdos 2018-08-04 08:53:21 UTC
Hmm I somewhat dislike when CVE is assigned without cooperation with upstream. php bug 74544 was turned from security to normal type of the bug by upstream and therefore perceived as a marginal security issue if any no worth a CVE.

I also tried to reproduce with php 7.2.7 and mariadb without any segfault or valgrind errors.

Until more information is known, I will use the patch attached to the bug, as it looks reasonable.
Comment 3 Petr Gajdos 2018-08-04 09:14:24 UTC
12/php5, 11sp3/php53, 11/php5 and 10sp3/php5 use safe_emalloc(), not affected.
Comment 4 Petr Gajdos 2018-08-04 09:14:41 UTC
Will submit for 15/php7 and 12/php7.
Comment 5 Petr Gajdos 2018-08-04 09:36:52 UTC
I believe all fixed.
Comment 7 Swamp Workflow Management 2018-08-16 07:08:27 UTC
SUSE-SU-2018:2333-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1103659,1103661
CVE References: CVE-2017-9120,CVE-2018-14851
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    php7-7.0.7-50.44.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php7-7.0.7-50.44.1
Comment 8 Swamp Workflow Management 2018-08-16 07:11:20 UTC
SUSE-SU-2018:2337-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1103659,1103661
CVE References: CVE-2017-9120,CVE-2018-14851
Sources used:
SUSE Linux Enterprise Module for Web Scripting 15 (src):    php7-7.2.5-4.6.1
Comment 9 Swamp Workflow Management 2018-08-17 10:31:44 UTC
openSUSE-SU-2018:2405-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1103659,1103661
CVE References: CVE-2017-9120,CVE-2018-14851
Sources used:
openSUSE Leap 42.3 (src):    php7-7.0.7-43.1
openSUSE Leap 15.0 (src):    php7-7.2.5-lp150.2.9.1
Comment 10 Marcus Meissner 2018-09-11 10:04:27 UTC
released
Comment 20 OBSbugzilla Bot 2020-05-12 08:00:17 UTC
This is an autogenerated message for OBS integration:
This bug (1103661) was mentioned in
https://build.opensuse.org/request/show/802846 Factory / php7