PHP :: Sec Bug #68925 :: CVE-2015-0235 – GHOST: glibc gethostbyname buffer overflow

Sec Bug #68925	CVE-2015-0235 – GHOST: glibc gethostbyname buffer overflow
Submitted:	2015-01-27 21:34 UTC	Modified:	2015-02-01 03:17 UTC
From:	leigh@php.net	Assigned:	stas (profile)
Status:	Closed	Package:	Network related
PHP Version:	5.4.37	OS:	Linux glibc > 2.2
Private report:	No	CVE-ID:	None

View Developer Edit

[2015-01-27 21:34 UTC] leigh@php.net

Description:
------------
For full details see: http://www.openwall.com/lists/oss-security/2015/01/27/9

We use this function in several places where userland input can be passed as a parameter to gethostbyname(). Given that a proof of concept RCE has been developed this could cause a potential issue for users who pass user supplied input these functions.

The Case Studies section of the oss-security link shows situations where apps are vulnerable or not.

Could someone please review http://lxr.php.net/search?q=gethostbyname&defs=&refs=&path=&hist=&project=PHP_5_6 and see if we can mitigate any potential vulnerabilities using the same techniques.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2015-02-01 03:17 UTC] stas@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: stas

[2015-02-01 03:17 UTC] stas@php.net

The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sat Mar 29 19:01:31 2025 UTC