PHP5 in Wheezy vulnerable to CVE-2013-2110?
Hello,
I noticed the PHP project released PHP 5.4.16 which among other things
fixes CVE-2013-2110 (heap-based buffer overflow in
quoted_printable_encode()). According to
https://security-tracker.debian.org/tracker/CVE-2013-2110 the Wheezy
package (5.4.4-14+deb7u2) is not vulnerable, however when you download
the source package (via apt-get source), the old (faulty?) code is still
present.
Here is a link to the commit which fixes the upstream bug:
https://github.com/php/php-src/commit/93e0d78ec655f59ebfa82b2c6f8486c43651c1d0
As far as I can tell this patch was not applied to the Debian source. I
tried to check the Ubuntu package, they seem to apply the patch during
package build.
Can someone please confirm that the Wheezy package is really not
vulnerable? I tried to use the test code from PHP (attached below) on
multiple PHP versions, but it doesn't cause segfaults (as it's supposed
to) on any of those I tried (Not even on PHP 5.3.23, which is supposed
to be vulnerable.)
The test code follows:
<?
quoted_printable_encode(str_repeat("\xf4", 1000));
quoted_printable_encode(str_repeat("\xf4", 1000000));
echo "Done\n";
?>
Thanks
Reply to: