CVE-2017-16642

Priority
Low
Description
In PHP before 5.6.32, 7.x before 7.0.25, and 7.1.x before 7.1.11, an error
in the date extension's timelib_meridian handling of 'front of' and 'back
of' directives could be used by attackers able to supply date strings to
leak information from the interpreter, related to ext/date/lib/parse_date.c
out-of-bounds reads affecting the php_parse_date function. NOTE: this is a
different issue than CVE-2017-11145.
References
Bugs
Notes
 leosilva> following debian comments, precise is not affected.
Package
Source: php5 (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):not-affected (code not present)
Ubuntu 14.04 LTS (Trusty Tahr):released (5.5.9+dfsg-1ubuntu4.23)
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 17.10 (Artful Aardvark):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 18.10 (Cosmic Cuttlefish):DNE
Patches:
Upstream:https://github.com/php/php-src/commit/a7815e63bdab95f7b9b0e32c52c81a4b6ad3a8f6
Package
Upstream:released (7.1.11)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 17.10 (Artful Aardvark):not-affected (7.1.11-0ubuntu0.17.10.1)
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 18.10 (Cosmic Cuttlefish):DNE
Patches:
Upstream:https://github.com/php/php-src/commit/5c0455bf2c8cd3c25401407f158e820aa3b239e1
Package
Upstream:released (7.0.25)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):released (7.0.25-0ubuntu0.16.04.1)
Ubuntu 17.10 (Artful Aardvark):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 18.10 (Cosmic Cuttlefish):DNE
More Information

Updated: 2018-07-17 13:14:45 UTC (commit 9ab2d40ee2cc8f7a9bc2350137802a3e9074f2d0)