CVE-2007-4840

NameCVE-2007-4840
DescriptionPHP 5.2.4 and earlier allows context-dependent attackers to cause a denial of service (application crash) via (1) a long string in the out_charset parameter to the iconv function; or a long string in the charset parameter to the (2) iconv_mime_decode_headers, (3) iconv_mime_decode, or (4) iconv_strlen function. NOTE: this might not be a vulnerability in most web server environments that support multiple threads, unless these issues can be demonstrated for code execution.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
glibc (PTS)bullseye2.31-13+deb11u11fixed
bullseye (security)2.31-13+deb11u10fixed
bookworm2.36-9+deb12u9fixed
bookworm (security)2.36-9+deb12u7fixed
trixie2.40-3fixed
sid2.40-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
glibcsource(unstable)2.7-1unimportant

Notes

Original PHP issue only triggerable by malicious script
Search for package or bug name: Reporting problems