Bugzilla – Bug 900934
VUL-0: CVE-2014-3622: php: remote memory whoes
Last modified: 2014-10-20 13:45:43 UTC
Please see https://bugs.php.net/bug.php?id=68088
bugbot adjusting priority
add_post_var() is present from 5.6, so this is not issue for older distributions. It is fixed in php 5.6.1 -> submitting it to factory and 13.2 will fix this issue for us. Keeping this bug opened to ensure this is fixed in 13.2.
Hi there, I got customer asking whether this very same CVE-2014-3622 is fixed in php versions 5.3.8 (SLES 11 SP2) and 5.3.17 (SLES 11 SP3) but as you say it's fixed since 5.6 which is not available for SLES. Can you build PTF for the latest SLES 11 SP3? I can open L3 for that.
I do not think php in 5.3.x is affected, see comment 2.
More over, that could be considered as bug in the extension itself: Right now this is not an exploitable problem, because in order for this to be a big problem the called input filter must do something like freeing the value supplied. Then we would have an illegal efree() that is potentially exploitable for remote code execution. No such extension is, of course, known.
(In reply to Petr Gajdos from comment #5) > Right now this is not an exploitable problem, because in order for this > to be a big problem the called input filter must do something like > freeing the value supplied. Then we would have an illegal efree() that > is potentially exploitable for remote code execution. Oh forgot to quote this. This wording is from php bug.
13.2 has 5.6.1.