CVE-2017-11362

NameCVE-2017-11362
DescriptionIn PHP 7.x before 7.0.21 and 7.1.x before 7.1.7, ext/intl/msgformat/msgformat_parse.c does not restrict the locale length, which allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) or possibly have unspecified other impact within International Components for Unicode (ICU) for C/C++ via a long first argument to the msgfmt_parse_message function.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
NVD severityhigh (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
php5 (PTS)wheezy5.4.45-0+deb7u2vulnerable
wheezy (security)5.4.45-0+deb7u9vulnerable
jessie (security), jessie5.6.30+dfsg-0+deb8u1vulnerable
php7.0 (PTS)stretch7.0.19-1vulnerable
buster, sid7.0.20-2vulnerable
php7.1 (PTS)buster, sid7.1.6-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
php5source(unstable)(unfixed)unimportant
php7.0source(unstable)(unfixed)unimportant
php7.1source(unstable)(unfixed)unimportant

Notes

PHP Bug: https://bugs.php.net/bug.php?id=73473
Fixed in 7.1.7, 7.0.21
Only triggerable by malicious script

Search for package or bug name: Reporting problems