Bug 827317 - (CVE-2013-2110) VUL-1: CVE-2013-2110: php53: php_quot_print_encode heap based overflow
VUL-1: CVE-2013-2110: php53: php_quot_print_encode heap based overflow
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P4 - Low : Normal
: ---
Assigned To: Petr Gajdos
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2013-06-28 07:55 UTC by Marcus Meissner
Modified: 2014-06-12 15:17 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2013-06-28 07:55:14 UTC
is public, via cve db


Heap-based buffer overflow in the php_quot_print_encode function in ext/standard/quot_print.c in PHP before 5.3.26 and 5.4.x before 5.4.16 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted argument to the quoted_printable_encode function. 

Comment 1 Marcus Meissner 2013-06-28 07:59:19 UTC
PHP 5.2 and older does not seem to have the function, so are not affected.
Comment 2 Marcus Meissner 2013-06-28 08:00:21 UTC
affected piece exists in our code in php53 on SLE11 SP2.
Comment 3 Swamp Workflow Management 2013-06-28 22:00:24 UTC
bugbot adjusting priority
Comment 4 Petr Gajdos 2013-07-02 17:10:45 UTC
Marcus, can you reproduce it with the testcase given in description of php bug? I can't or I haven't understood the real issue.

For multiplier=1000,

ret = safe_emalloc(1, 3 * length + 3 * (((3 * length)/PHP_QPRINT_MAXL) + 1), 0);

should allocate 1*(3*1000 + 3*(((3*1000)/75) + 1)) + 0 = 3123 bytes and *ret_length == 3117 at the end of the php_quot_print_encode() which is below allocated amount and *d is monotone. 

For multiplier=100000 (second testcase of bug64879.phpt), it allocates 312003 bytes, which also suffice, because *ret_length == 311997 at the end of this function in this case.

Or have made a mistake somewhere?
Comment 5 Petr Gajdos 2013-07-03 07:59:44 UTC
Tested with php 5.3.25.
Comment 6 Petr Gajdos 2013-07-03 09:01:32 UTC
Here we are:

The commit referenced there appears to not be in 5.3 branch, which leads me to suspicion 
is redundant.

I tend to believe we are not affected by this flaw then. 5.4 we have only in factory, which is fixed yet by upgrading to 5.4.16.

I suggest to close this as invalid.
Comment 7 Marcus Meissner 2013-07-03 09:59:05 UTC
I looked over it and I think you are correct.

The heap overflow problem was introduced by the additional linebreak handling introduced by the commit you mentioned.

The issue does not affect PHP 5.3 on SLE11 SP2 or SP3.
Comment 8 Petr Gajdos 2013-07-03 10:38:47 UTC
Just for the record, issue _can_ be reproduced with 5.4.15 as described in php bug.