Debian Bug report logs - #768807
php5: CVE-2014-3710: denial of service (out-of-bounds read and application crash) via a crafted ELF file

version graph

Package: src:php5; Maintainer for src:php5 is (unknown);

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Sun, 9 Nov 2014 13:03:01 UTC

Severity: important

Tags: patch, security, upstream

Found in versions php5/5.6.2+dfsg-1, php5/5.4.34-0+deb7u1, php5/5.4.4-14, php5/5.4.4-4

Fixed in versions php5/5.6.3+dfsg-1, php5/5.4.35-0+deb7u1, 5.6.3+dfsg-1

Done: Moritz Muehlenhoff <jmm@inutil.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#768807; Package src:php5. (Sun, 09 Nov 2014 13:03:06 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Sun, 09 Nov 2014 13:03:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: php5: CVE-2014-3710: denial of service (out-of-bounds read and application crash) via a crafted ELF file
Date: Sun, 09 Nov 2014 13:58:07 +0100
Source: php5
Version: 5.6.2+dfsg-1
Severity: important
Tags: security upstream patch

Hi,

the following vulnerability was published for php5.

CVE-2014-3710[0]:
out-of-bounds read in elf note headers

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3710
    https://security-tracker.debian.org/tracker/CVE-2014-3710
[1] http://git.php.net/?p=php-src.git;a=commit;h=1803228597e82218a8c105e67975bc50e6f5bf0d
[2] https://bugs.php.net/bug.php?id=68283

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Marked as found in versions php5/5.4.4-14. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 09 Nov 2014 13:06:15 GMT) (full text, mbox, link).

Marked as found in versions php5/5.4.34-0+deb7u1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 09 Nov 2014 13:09:04 GMT) (full text, mbox, link).

Marked as found in versions php5/5.4.4-4. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 09 Nov 2014 13:33:09 GMT) (full text, mbox, link).

Marked as fixed in versions php5/5.6.3+dfsg-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 19 Nov 2014 17:06:09 GMT) (full text, mbox, link).

Marked as fixed in versions php5/5.4.35-0+deb7u1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 19 Nov 2014 17:06:10 GMT) (full text, mbox, link).

Reply sent to Moritz Muehlenhoff <jmm@inutil.org>:
You have taken responsibility. (Wed, 04 Feb 2015 08:51:13 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Wed, 04 Feb 2015 08:51:13 GMT) (full text, mbox, link).

Message #20 received at 768807-done@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Salvatore Bonaccorso <carnil@debian.org>
Cc: 768807-done@bugs.debian.org
Subject: Re: php5: CVE-2014-3710: denial of service (out-of-bounds read and application crash) via a crafted ELF file
Date: Wed, 4 Feb 2015 09:44:07 +0100
Version: 5.6.3+dfsg-1

On Sun, Nov 09, 2014 at 01:58:07PM +0100, Salvatore Bonaccorso wrote:
> Source: php5
> Version: 5.6.2+dfsg-1
> Severity: important
> Tags: security upstream patch
> 
> Hi,
> 
> the following vulnerability was published for php5.
> 
> CVE-2014-3710[0]:
> out-of-bounds read in elf note headers
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3710
>     https://security-tracker.debian.org/tracker/CVE-2014-3710
> [1] http://git.php.net/?p=php-src.git;a=commit;h=1803228597e82218a8c105e67975bc50e6f5bf0d
> [2] https://bugs.php.net/bug.php?id=68283
> 
> Please adjust the affected versions in the BTS as needed.

This has been fixed.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 27 Apr 2015 07:26:02 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Jul 2 02:11:45 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.