PHP5 in Wheezy vulnerable to CVE-2013-2110?

To: debian-security@lists.debian.org
Subject: PHP5 in Wheezy vulnerable to CVE-2013-2110?
From: jaroslav@thinline.cz
Date: Thu, 20 Jun 2013 09:08:03 +0200
Message-id: <[🔎] 4f30b839fc2833d33b7561a16595518c@thinline.cz>

Hello,

I noticed the PHP project released PHP 5.4.16 which among other thingsfixes CVE-2013-2110 (heap-based buffer overflow inquoted_printable_encode()). According tohttps://security-tracker.debian.org/tracker/CVE-2013-2110 the Wheezypackage (5.4.4-14+deb7u2) is not vulnerable, however when you downloadthe source package (via apt-get source), the old (faulty?) code is stillpresent.


Here is a link to the commit which fixes the upstream bug:

https://github.com/php/php-src/commit/93e0d78ec655f59ebfa82b2c6f8486c43651c1d0

As far as I can tell this patch was not applied to the Debian source. Itried to check the Ubuntu package, they seem to apply the patch duringpackage build.

Can someone please confirm that the Wheezy package is really notvulnerable? I tried to use the test code from PHP (attached below) onmultiple PHP versions, but it doesn't cause segfaults (as it's supposedto) on any of those I tried (Not even on PHP 5.3.23, which is supposedto be vulnerable.)


The test code follows:

<?
quoted_printable_encode(str_repeat("\xf4", 1000));
quoted_printable_encode(str_repeat("\xf4", 1000000));
echo "Done\n";
?>

Thanks

Reply to:

Follow-Ups:
- Re: PHP5 in Wheezy vulnerable to CVE-2013-2110?
  - From: "Thijs Kinkhorst" <thijs@debian.org>

Prev by Date: Re: [SECURITY] [DSA 2698-1] tiff security update
Next by Date: Re: PHP5 in Wheezy vulnerable to CVE-2013-2110?
Previous by thread: Re: [SECURITY] [DSA 2698-1] tiff security update
Next by thread: Re: PHP5 in Wheezy vulnerable to CVE-2013-2110?
Index(es):
- Date
- Thread