PHP :: Sec Bug #66731 :: file: infinite recursion

Sec Bug #66731	file: infinite recursion
Submitted:	2014-02-18 08:34 UTC	Modified:	2014-03-06 13:10 UTC
From:	remi@php.net	Assigned:	remi (profile)
Status:	Closed	Package:	Filesystem function related
PHP Version:	5.5.9	OS:	irrevelant
Private report:	No	CVE-ID:	2014-1943

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	remi@php.net
New email:
PHP Version:		OS:

New Comment:

[2014-02-18 08:34 UTC] remi@php.net

Description:
------------
CVE-2014-1943 which affects File < 5.17 also affects PHP which bundles libmagic.

Patches

cve-2014-1943.patch (last revision 2014-02-18 12:47 UTC by remi@php.net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2014-02-18 08:34 UTC] remi@php.net

-Type: Bug +Type: Security -Private report: No +Private report: Yes

[2014-02-18 08:49 UTC] stas@php.net

-CVE-ID: +CVE-ID: 2014-1943

[2014-02-18 12:19 UTC] remi@php.net

-Assigned To: +Assigned To: remi

[2014-02-18 12:19 UTC] remi@php.net

1st part of the reproducer allow to raise a segfault uploading a specially crafted data file, when a web app call fileinfo() for this file.

It affects php >= 5.4.15 (with file 5.14).

2nd part of the reproducer allow to raise a segfault but with a specially crafted magic file. So is not remotely exploitable.

It affects php >= 5.3.0 (with file >= 5.03)

[2014-02-18 12:20 UTC] remi@php.net

Plan is to apply the proposed patch in 5.4 + 5.5 and to update to new upstream libmagic from file 5.17 (which includes the fix).

[2014-02-18 12:47 UTC] remi@php.net

The following patch has been added/updated:

Patch Name: cve-2014-1943.patch
Revision:   1392727674
URL:        https://bugs.php.net/patch-display.php?bug=66731&patch=cve-2014-1943.patch&revision=1392727674

[2014-02-18 13:00 UTC] remi@php.net

-Status: Assigned +Status: Closed

[2014-02-18 13:00 UTC] remi@php.net

The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

Fixed in http://git.php.net/?p=php-src.git;a=commitdiff;h=89f864c547014646e71862df3664e3ff33d7143d

[2014-10-07 23:16 UTC] stas@php.net

Automatic comment on behalf of remi
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=89f864c547014646e71862df3664e3ff33d7143d
Log: Fixed Bug #66731 file: infinite recursion

[2014-10-07 23:27 UTC] stas@php.net

Automatic comment on behalf of remi
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=89f864c547014646e71862df3664e3ff33d7143d
Log: Fixed Bug #66731 file: infinite recursion

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 14:01:29 2024 UTC