CVE-2017-11628

Published: 25 July 2017

In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, a stack-based buffer overflow in the zend_ini_do_op() function in Zend/zend_ini_parser.c could cause a denial of service or potentially allow executing code. NOTE: this is only relevant for PHP applications that accept untrusted input (instead of the system's php.ini file) for the parse_ini_string or parse_ini_file function, e.g., a web application for syntax validation of php.ini directives.

Priority

Medium

CVSS 3 base score: 7.8

Status

Package Release Status
php5
Launchpad, Ubuntu, Debian
Upstream
Released (5.6.31)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr)
Released (5.5.9+dfsg-1ubuntu4.22)
Patches:
Upstream: https://github.com/php/php-src/commit/5f8380d33e648964d2d5140f329cf2d4c443033c
php7.0
Launchpad, Ubuntu, Debian
Upstream
Released (7.0.21)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus)
Released (7.0.22-0ubuntu0.16.04.1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: https://github.com/php/php-src/commit/05255749139b3686c8a6a58ee01131ac0047465e
php7.1
Launchpad, Ubuntu, Debian
Upstream
Released (7.1.7)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (7.1.8-1ubuntu1)
Ubuntu 16.04 LTS (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: https://github.com/php/php-src/commit/05255749139b3686c8a6a58ee01131ac0047465e
Upstream: https://github.com/php/php-src/commit/0ba04f77379b5d277f5bd190c1542a0d91289978 (7.1 merge)