CVE-2017-11362 (retired)

Priority
Description
In PHP 7.x before 7.0.21 and 7.1.x before 7.1.7,
ext/intl/msgformat/msgformat_parse.c does not restrict the locale length,
which allows remote attackers to cause a denial of service (stack-based
buffer overflow and application crash) or possibly have unspecified other
impact within International Components for Unicode (ICU) for C/C++ via a
long first argument to the msgfmt_parse_message function.
Notes
sarnoldPHP team disputes this CVE's security relevance
mdeslaurphp5 looks to be affected by the issue also
reproducer doesn't work on any release
Package
Source: php5 (LP Ubuntu Debian)
Upstream:needed
Ubuntu 12.04 ESM (Precise Pangolin):released (5.3.10-1ubuntu3.36)
Ubuntu 14.04 ESM (Trusty Tahr):released (5.5.9+dfsg-1ubuntu4.22)
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 19.04 (Disco Dingo):DNE
Ubuntu 19.10 (Eoan):DNE
Package
Upstream:released (7.0.21)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):released (7.0.22-0ubuntu0.16.04.1)
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 19.04 (Disco Dingo):DNE
Ubuntu 19.10 (Eoan):DNE
Patches:
Upstream:http://git.php.net/?p=php-src.git;a=commit;h=95c4564f939c916538579ef63602a3cd31941c51
Package
Upstream:released (7.1.7)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 19.04 (Disco Dingo):DNE
Ubuntu 19.10 (Eoan):DNE
Patches:
Upstream:http://git.php.net/?p=php-src.git;a=commit;h=95c4564f939c916538579ef63602a3cd31941c51
More Information

Updated: 2019-10-09 07:58:37 UTC (commit 33aea848a182c0afcd0a3f927a01a7ecd9a061ee)