Integer signedness error in the simplestring_addn function in simplestring.c in xmlrpc-epi through 0.54.2, as used in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9, allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a long first argument to the PHP xmlrpc_encode_request function.
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
| Link | Tags |
|---|---|
| http://www.securityfocus.com/bid/92095 | vdb entry third party advisory |
| http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=e6c48213c22ed50b2b987b479fcc1ac709394caa | |
| http://lists.apple.com/archives/security-announce/2016/Sep/msg00006.html | vendor advisory |
| https://security.gentoo.org/glsa/201611-22 | vendor advisory |
| http://rhn.redhat.com/errata/RHSA-2016-2750.html | vendor advisory |
| http://www.ubuntu.com/usn/USN-3059-1 | vendor advisory |
| https://bugs.php.net/72606 | issue tracking exploit |
| http://php.net/ChangeLog-5.php | release notes |
| http://www.securitytracker.com/id/1036430 | vdb entry |
| http://www.debian.org/security/2016/dsa-3631 | vendor advisory |
| http://php.net/ChangeLog-7.php | release notes |
| http://openwall.com/lists/oss-security/2016/07/24/2 | mailing list |
| https://support.apple.com/HT207170 | |
| https://lists.debian.org/debian-lts-announce/2019/11/msg00029.html | mailing list |