CVE-2017-11362

NameCVE-2017-11362
DescriptionIn PHP 7.x before 7.0.21 and 7.1.x before 7.1.7, ext/intl/msgformat/msgformat_parse.c does not restrict the locale length, which allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) or possibly have unspecified other impact within International Components for Unicode (ICU) for C/C++ via a long first argument to the msgfmt_parse_message function.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
php5source(unstable)(unfixed)unimportant
php7.0source(unstable)7.0.22-1unimportant
php7.1source(unstable)7.1.8-1unimportant

Notes

PHP Bug: https://bugs.php.net/bug.php?id=73473
Fixed in 7.1.7, 7.0.21
Only triggerable by malicious script
Search for package or bug name: Reporting problems