CVE-2018-7584

Summary

CVE	CVE-2018-7584
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2018-03-01 19:29:00 UTC
Updated	2019-08-19 11:15:00 UTC
Description	In PHP through 5.6.33, 7.0.x before 7.0.28, 7.1.x through 7.1.14, and 7.2.x through 7.2.2, there is a stack-based buffer under-read while parsing an HTTP response in the php_stream_url_wrap_http_ex function in ext/standard/http_fopen_wrapper.c. This subsequently results in copying a large string.

Risk And Classification

Problem Types: CWE-119

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Canonical	Ubuntu Linux	12.04	All	All	All
Operating System	Canonical	Ubuntu Linux	14.04	All	All	All
Operating System	Canonical	Ubuntu Linux	16.04	All	All	All
Operating System	Canonical	Ubuntu Linux	17.10	All	All	All
Operating System	Canonical	Ubuntu Linux	12.04	All	All	All
Operating System	Canonical	Ubuntu Linux	14.04	All	All	All
Operating System	Canonical	Ubuntu Linux	16.04	All	All	All
Operating System	Canonical	Ubuntu Linux	17.10	All	All	All
Operating System	Debian	Debian Linux	7.0	All	All	All
Operating System	Debian	Debian Linux	8.0	All	All	All
Operating System	Debian	Debian Linux	9.0	All	All	All
Operating System	Debian	Debian Linux	7.0	All	All	All
Operating System	Debian	Debian Linux	8.0	All	All	All
Operating System	Debian	Debian Linux	9.0	All	All	All
Application	Php	Php	All	All	All	All
Application	Php	Php	All	All	All	All
Application	Php	Php	All	All	All	All
Application	Php	Php	All	All	All	All
Application	Php	Php	All	All	All	All

References

Reference	Source	Link	Tags
USN-3600-2: PHP vulnerabilities \| Ubuntu security notices	UBUNTU	usn.ubuntu.com	Third Party Advisory
Debian -- Security Information -- DSA-4240-1 php7.0	DEBIAN	www.debian.org	Third Party Advisory
[R1] SecurityCenter 5.7.1 Fixes Multiple Third-Party Vulnerabilities - Security Advisory \| Tenable®	CONFIRM	www.tenable.com	Third Party Advisory
Fix bug #75981: prevent reading beyond buffer start · php/php-src@523f230 · GitHub	CONFIRM	github.com	Patch
USN-3600-1: PHP vulnerabilities \| Ubuntu security notices	UBUNTU	usn.ubuntu.com	Third Party Advisory
[SECURITY] [DLA 1397-1] php5 security update	MLIST	lists.debian.org	Mailing List, Third Party Advisory
PHP 7.2.2 - 'php_stream_url_wrap_http_ex' Buffer Overflow - PHP dos Exploit	EXPLOIT-DB	www.exploit-db.com	Exploit, Third Party Advisory, VDB Entry
PHP :: Sec Bug #75981 :: stack-buffer-overflow while parsing HTTP response	CONFIRM	bugs.php.net	Issue Tracking
PHP: PHP 7 ChangeLog	CONFIRM	php.net	Release Notes
PHP CVE-2018-7584 Stack Buffer Overflow Vulnerability	BID	www.securityfocus.com	Third Party Advisory, VDB Entry
[R2] SecurityCenter 5.6.2.1 Fixes One Third-party Vulnerability - Security Advisory \| Tenable®	CONFIRM	www.tenable.com	Third Party Advisory
QNAP Storage Devices PHP Buffer Error Lets Remote Users Deny Service - SecurityTracker	SECTRACK	www.securitytracker.com	Third Party Advisory, VDB Entry
Red Hat Customer Portal	REDHAT	access.redhat.com
[SECURITY] [DLA 1326-1] php5 security update	MLIST	lists.debian.org	Mailing List, Third Party Advisory
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

377294 Alibaba Cloud Linux Security Update for Hypertext Preprocessor (PHP) (ALINUX2-SA-2020:0054)