CVE-2017-11362

Priority
Low
Description
In PHP 7.x before 7.0.21 and 7.1.x before 7.1.7,
ext/intl/msgformat/msgformat_parse.c does not restrict the locale length,
which allows remote attackers to cause a denial of service (stack-based
buffer overflow and application crash) or possibly have unspecified other
impact within International Components for Unicode (ICU) for C/C++ via a
long first argument to the msgfmt_parse_message function.
References
Bugs
Notes
 sarnold> PHP team disputes this CVE's security relevance
 mdeslaur> php5 looks to be affected by the issue also
 mdeslaur> reproducer doesn't work on any release
Package
Source: php5 (LP Ubuntu Debian)
Upstream:needed
Ubuntu 17.10 (Artful Aardvark):DNE
Ubuntu 12.04 ESM (Precise Pangolin):needed
Ubuntu 14.04 LTS (Trusty Tahr):released (5.5.9+dfsg-1ubuntu4.22)
Ubuntu Core 15.04:DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 17.04 (Zesty Zapus):DNE
Package
Upstream:released (7.1.7)
Ubuntu 17.10 (Artful Aardvark):released (7.1.8-1ubuntu1)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):DNE
Ubuntu Core 15.04:DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 17.04 (Zesty Zapus):DNE
Patches:
Upstream:http://git.php.net/?p=php-src.git;a=commit;h=95c4564f939c916538579ef63602a3cd31941c51
Package
Upstream:released (7.0.21)
Ubuntu 17.10 (Artful Aardvark):DNE
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):DNE
Ubuntu Core 15.04:DNE
Ubuntu 16.04 LTS (Xenial Xerus):released (7.0.22-0ubuntu0.16.04.1)
Ubuntu 17.04 (Zesty Zapus):released (7.0.22-0ubuntu0.17.04.1)
Patches:
Upstream:http://git.php.net/?p=php-src.git;a=commit;h=95c4564f939c916538579ef63602a3cd31941c51
More Information

Updated: 2017-08-11 23:24:39 UTC (commit 13081)