|Description||main/streams/xp_socket.c in PHP 7.x before 2017-03-07 misparses fsockopen calls, such as by interpreting fsockopen('127.0.0.1:80', 443) as if the address/port were 127.0.0.1:80:443, which is later truncated to 127.0.0.1:80. This behavior has a security risk if the explicitly provided port number (i.e., 443 in this example) is hardcoded into an application as a security policy, but the hostname argument (i.e., 127.0.0.1:80 in this example) is obtained from untrusted input.|
|Source||CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)|
|NVD severity||medium (attack range: remote)|
Vulnerable and fixed packages
The table below lists information on source packages.
|php7.0 (PTS)||stretch (security), stretch||7.0.33-0+deb9u3||vulnerable|
The information below is based on the following data on fixed versions.
|Package||Type||Release||Fixed Version||Urgency||Origin||Debian Bugs|
[buster] - php7.3 <ignored> (Upstream patch breaks existing applications, was reverted again, revisit if a new approach has been identified)
[stretch] - php7.0 <ignored> (Upstream patch breaks existing applications, was reverted again, revisit if a new approach has been identified)
[jessie] - php5 <ignored> (Upstream patch breaks existing applications, was reverted again, revisit if a new approach has been identified)
PHP Bug: https://bugs.php.net/bug.php?id=74192
The commit was later on reverted again because of breaking some features.
See as well the related CVE-2017-7272.