Arch Linux

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#42764 - [php] CVE-2014-3710: denial of service through out-of-bounds read

Attached to Project: Arch Linux
Opened by Levente Polyak (anthraxx) - Wednesday, 12 November 2014, 20:10 GMT
Last edited by Pierre Schmitz (Pierre) - Thursday, 13 November 2014, 17:42 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To Pierre Schmitz (Pierre)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No


It has been reported [0] that php 5.6.2-2 is vulnerable to out-of-bounds read resulting in denial of service. This issue is tracked as CVE-2014-3710 [1].

An out-of-bounds read flaw was found in the way the file information (fileinfo) extension parsed executable and linkable format (ELF) files. A remote attacker could use this flaw to crash a PHP application using fileinfo via a specially crafted ELF file.

The problem has been tracked [2] and fixed upstream [3] but no release is available yet.
We recommend to backport the patch until a release is available.

The attached patch does apply fine with:
# patch -p1 -i "${srcdir}/CVE-2014-3710.patch"

This bug is related to  FS#42759 

This task depends upon

Closed by  Pierre Schmitz (Pierre)
Thursday, 13 November 2014, 17:42 GMT
Reason for closing:  Fixed
Comment by Pierre Schmitz (Pierre) - Wednesday, 12 November 2014, 20:51 GMT
This will be fixed in 5.6.3 which was tagged today. No idea when it will be released though.