CVE-2014-3597

Published: 22 August 2014

Multiple buffer overflows in the php_parserr function in ext/standard/dns.c in PHP before 5.4.32 and 5.5.x before 5.5.16 allow remote DNS servers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted DNS record, related to the dns_get_record function and the dn_expand function. NOTE: this issue exists because of an incomplete fix for CVE-2014-4049.

Priority

Medium

Status

Package Release Status
php5
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 14.04 ESM (Trusty Tahr)
Released (5.5.9+dfsg-1ubuntu4.4)
Ubuntu 12.04 ESM (Precise Pangolin)
Released (5.3.10-1ubuntu3.14)
Patches:
Other: https://github.com/php/php-src/commit/2fefae47716d501aec41c1102f3fd4531f070b05#diff-d41d8cd98f00b204e9800998ecf8427e