CVE-2017-16642

Published: 07 November 2017

In PHP before 5.6.32, 7.x before 7.0.25, and 7.1.x before 7.1.11, an error in the date extension's timelib_meridian handling of 'front of' and 'back of' directives could be used by attackers able to supply date strings to leak information from the interpreter, related to ext/date/lib/parse_date.c out-of-bounds reads affecting the php_parse_date function. NOTE: this is a different issue than CVE-2017-11145.

Priority

Low

CVSS 3 base score: 7.5

Status

Package Release Status
php5
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr)
Released (5.5.9+dfsg-1ubuntu4.23)
Patches:
Upstream: https://github.com/php/php-src/commit/a7815e63bdab95f7b9b0e32c52c81a4b6ad3a8f6
php7.0
Launchpad, Ubuntu, Debian
Upstream
Released (7.0.25)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus)
Released (7.0.25-0ubuntu0.16.04.1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

php7.1
Launchpad, Ubuntu, Debian
Upstream
Released (7.1.11)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: https://github.com/php/php-src/commit/5c0455bf2c8cd3c25401407f158e820aa3b239e1