CVE-2014-9912

NameCVE-2014-9912
DescriptionThe get_icu_disp_value_src_php function in ext/intl/locale/locale_methods.c in PHP before 5.3.29, 5.4.x before 5.4.30, and 5.5.x before 5.5.14 does not properly restrict calls to the ICU uresbund.cpp component, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a locale_get_display_name call with a long first argument.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
php5sourcewheezy5.4.34-0+deb7u1
php5source(unstable)5.6.0+dfsg-1

Notes

Fixed in 5.6.0, 5.5.14, 5.4.30, 5.3.29
PHP Bug: https://bugs.php.net/bug.php?id=67397
Upstream patch: https://bugs.php.net/patch-display.php?bug_id=67397&patch=bug67397-patch&revision=latest
PHP workaround for CVE-2014-9911 in icu
Search for package or bug name: Reporting problems