Vulnerability CVE-2018-7584: Information

Description

In PHP through 5.6.33, 7.0.x before 7.0.28, 7.1.x through 7.1.14, and 7.2.x through 7.2.2, there is a stack-based buffer under-read while parsing an HTTP response in the php_stream_url_wrap_http_ex function in ext/standard/http_fopen_wrapper.c. This subsequently results in copying a large string.

Severity: CRITICAL (9.8) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2018-7584
Published: March 1, 2018
Modified: Aug. 19, 2019
Error type identifier: CWE-119

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
php5p85.6.36-alt1.M80P.15.6.38-alt1ALT-PU-2018-1763-1206241Fixed
php7p107.2.5-alt1.S17.4.33-alt1ALT-PU-2018-1704-1205839Fixed
php7p97.2.5-alt1.S17.3.33-alt1ALT-PU-2018-1704-1205839Fixed
php7p87.2.5-alt1.M80P.17.2.34-alt1ALT-PU-2018-1742-1205840Fixed
php7c10f17.2.5-alt1.S17.4.33-alt1ALT-PU-2018-1704-1205839Fixed
php7c9f27.2.5-alt1.S17.4.33-alt1ALT-PU-2018-1704-1205839Fixed
php7-curlp87.2.5-alt1.M80P.17.2.34-alt1ALT-PU-2018-1743-1205840Fixed
php7-intlp87.2.5-alt1.M80P.17.2.34-alt1ALT-PU-2018-1748-1205840Fixed
php7-opcachep87.2.5-alt1.M80P.1.17.2.34-alt1.1ALT-PU-2018-1749-1205840Fixed
php7-opensslp87.2.5-alt1.M80P.1.17.2.34-alt1.1ALT-PU-2018-1744-1205840Fixed
php7-pgsqlp87.2.5-alt1.M80P.1.27.2.34-alt1.2ALT-PU-2018-1745-1205840Fixed
php7-xmlrpcp87.2.5-alt1.M80P.17.2.34-alt1ALT-PU-2018-1750-1205840Fixed
php7-xslp87.2.5-alt1.M80P.17.2.34-alt1ALT-PU-2018-1747-1205840Fixed
php7-zipp87.2.5-alt1.M80P.17.2.34-alt1.1ALT-PU-2018-1746-1205840Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://github.com/php/php-src/commit/523f230c831d7b33353203fa34aee4e92ac12bba
  • Patch
https://bugs.php.net/bug.php?id=75981
  • Issue Tracking
http://php.net/ChangeLog-7.php
  • Release Notes
103204
  • Third Party Advisory
  • VDB Entry
USN-3600-1
  • Third Party Advisory
[debian-lts-announce] 20180329 [SECURITY] [DLA 1326-1] php5 security update
  • Mailing List
  • Third Party Advisory
https://www.tenable.com/security/tns-2018-03
  • Third Party Advisory
USN-3600-2
  • Third Party Advisory
44846
  • Exploit
  • Third Party Advisory
  • VDB Entry
[debian-lts-announce] 20180626 [SECURITY] [DLA 1397-1] php5 security update
  • Mailing List
  • Third Party Advisory
DSA-4240
  • Third Party Advisory
1041607
  • Third Party Advisory
  • VDB Entry
https://www.tenable.com/security/tns-2018-12
  • Third Party Advisory
RHSA-2019:2519

      1. Configuration 1

        cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
        End including
        5.6.33
        cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
        Start including
        7.0.0
        End excliding
        7.0.28
        cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
        Start including
        7.1.0
        End including
        7.1.14
        cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
        Start including
        7.2.0
        End including
        7.2.2

        Configuration 2

        cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
        cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
        cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*
        cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*

        Configuration 3

        cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
        cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
        cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
    VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
    Version: v24.4.2
    Back to top