SB2013062102 - Multiple vulnerabilities in PHP

Security Bulletin ID SB2013062102

Severity

Medium

Patch available

NO

Number of vulnerabilities 3

Exploitation vector Remote access

Highest impact Denial of service

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Input validation error (CVE-ID: CVE-2013-4635)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

Integer overflow in the SdnToJewish function in jewish.c in the Calendar component in PHP before 5.3.26 and 5.4.x before 5.4.16 allows context-dependent attackers to cause a denial of service (application hang) via a large argument to the jdtojewish function.

2) Input validation error (CVE-ID: CVE-2013-4636)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The mget function in libmagic/softmagic.c in the Fileinfo component in PHP 5.4.x before 5.4.16 allows remote attackers to cause a denial of service (invalid pointer dereference and application crash) via an MP3 file that triggers incorrect MIME type detection during access to an finfo object.

3) Heap-based buffer overflow (CVE-ID: CVE-2013-2110)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in Heap-based buffer overflow in the php_quot_print_encode function in ext/standard/quot_print.c in PHP before 5.3.26 and 5.4.x before 5.4.16. A remote attacker can use a crafted argument to the quoted_printable_encode function. to trigger heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

SB2013062102 - Multiple vulnerabilities in PHP

Breakdown by Severity

Description

Remediation

References