[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

PHP5 in Wheezy vulnerable to CVE-2013-2110?


I noticed the PHP project released PHP 5.4.16 which among other things fixes CVE-2013-2110 (heap-based buffer overflow in quoted_printable_encode()). According to https://security-tracker.debian.org/tracker/CVE-2013-2110 the Wheezy package (5.4.4-14+deb7u2) is not vulnerable, however when you download the source package (via apt-get source), the old (faulty?) code is still present.

Here is a link to the commit which fixes the upstream bug:


As far as I can tell this patch was not applied to the Debian source. I tried to check the Ubuntu package, they seem to apply the patch during package build.

Can someone please confirm that the Wheezy package is really not vulnerable? I tried to use the test code from PHP (attached below) on multiple PHP versions, but it doesn't cause segfaults (as it's supposed to) on any of those I tried (Not even on PHP 5.3.23, which is supposed to be vulnerable.)

The test code follows:

quoted_printable_encode(str_repeat("\xf4", 1000));
quoted_printable_encode(str_repeat("\xf4", 1000000));
echo "Done\n";


Reply to: