CVE-2006-1990
published 2006-04-24CVE-2006-1990: Integer overflow in the wordwrap function in string.c in PHP 4.4.2 and 5.1.2 might allow context-dependent attackers to execute arbitrary code via certain long…
PriorityP431medium5CVSS 2.0
AVNACLAuNCNINAP
EPSS
10.38%
95.2th percentile
Integer overflow in the wordwrap function in string.c in PHP 4.4.2 and 5.1.2 might allow context-dependent attackers to execute arbitrary code via certain long arguments that cause a small buffer to be allocated, which triggers a heap-based buffer overflow in a memcpy function call, a different vulnerability than CVE-2002-1396.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| php | php | < 5.1.5 | 5.1.5 |
| php | php | — | — |
| php | php | — | — |
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
vendor_redhat7.5HIGH
vendor_ubuntu4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
security flaw
vendor_redhat·2006-08-17·CVSS 5.0
CVE-2006-4482 [MEDIUM] security flaw
security flaw
Multiple heap-based buffer overflows in the (1) str_repeat and (2) wordwrap functions in ext/standard/string.c in PHP before 5.1.5, when used on a 64-bit system, have unspecified impact and attack vectors, a different vulnerability than CVE-2006-1990.
Ubuntu
PHP vulnerabilities
vendor_ubuntu·2006-07-19·CVSS 4.3
CVE-2006-1494 [MEDIUM] PHP vulnerabilities
Title: PHP vulnerabilities
Summary: PHP vulnerabilities
The phpinfo() PHP function did not properly sanitize long strings. A
remote attacker could use this to perform cross-site scripting attacks
against sites that have publicly-available PHP scripts that call
phpinfo(). Please note that it is not recommended to publicly expose
phpinfo(). (CVE-2006-0996)
An information disclosure has been reported in the
html_entity_decode() function. A script which uses this function to
process arbitrary user-supplied input could be exploited to expose a
random part of memory, which could potentially reveal sensitive data.
(CVE-2006-1490)
The wordwrap() function did not sufficiently check the validity of the
'break' argument. An attacker who could control the string passed to
the 'break' parameter cou
Red Hat
security flaw
vendor_redhat·2006-04-24·CVSS 7.5
CVE-2006-1990 [HIGH] security flaw
security flaw
Integer overflow in the wordwrap function in string.c in PHP 4.4.2 and 5.1.2 might allow context-dependent attackers to execute arbitrary code via certain long arguments that cause a small buffer to be allocated, which triggers a heap-based buffer overflow in a memcpy function call, a different vulnerability than CVE-2002-1396.
GHSA
GHSA-jxvq-9v75-wqch: Multiple heap-based buffer overflows in the (1) str_repeat and (2) wordwrap functions in ext/standard/string
ghsa_unreviewed·2022-05-03·CVSS 5.0
CVE-2006-4482 [MEDIUM] CWE-119 GHSA-jxvq-9v75-wqch: Multiple heap-based buffer overflows in the (1) str_repeat and (2) wordwrap functions in ext/standard/string
Multiple heap-based buffer overflows in the (1) str_repeat and (2) wordwrap functions in ext/standard/string.c in PHP before 5.1.5, when used on a 64-bit system, have unspecified impact and attack vectors, a different vulnerability than CVE-2006-1990.
GHSA
GHSA-jpv3-m3h3-ph93: Integer overflow in the wordwrap function in string
ghsa_unreviewed·2022-05-03·CVSS 7.5
CVE-2006-1990 [HIGH] GHSA-jpv3-m3h3-ph93: Integer overflow in the wordwrap function in string
Integer overflow in the wordwrap function in string.c in PHP 4.4.2 and 5.1.2 might allow context-dependent attackers to execute arbitrary code via certain long arguments that cause a small buffer to be allocated, which triggers a heap-based buffer overflow in a memcpy function call, a different vulnerability than CVE-2002-1396.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2006-4482 security flaw
bugzilla·2018-08-16·CVSS 5.0
CVE-2006-4482 [MEDIUM] CVE-2006-4482 security flaw
CVE-2006-4482 security flaw
Flaw bug created to hold information about an old flaw we knew something about. For more details see the MITRE CVE description.
Discussion:
MITRE description:
Multiple heap-based buffer overflows in the (1) str_repeat and (2) wordwrap functions in ext/standard/string.c in PHP before 5.1.5, when used on a 64-bit system, have unspecified impact and attack vectors, a different vulnerability than CVE-2006-1990.
Bugzilla
CVE-2006-1990 security flaw
bugzilla·2018-08-16·CVSS 7.5
CVE-2006-1990 [HIGH] CVE-2006-1990 security flaw
CVE-2006-1990 security flaw
Flaw bug created to hold information about an old flaw we knew something about. For more details see the MITRE CVE description.
Discussion:
MITRE description:
Integer overflow in the wordwrap function in string.c in PHP 4.4.2 and 5.1.2 might allow context-dependent attackers to execute arbitrary code via certain long arguments that cause a small buffer to be allocated, which triggers a heap-based buffer overflow in a memcpy function call, a different vulnerability than CVE-2002-1396.
Bugzilla
CVE-2006-4482 PHP heap overflow
bugzilla·2006-09-18·CVSS 5.0
CVE-2006-4482 [MEDIUM] CVE-2006-4482 PHP heap overflow
CVE-2006-4482 PHP heap overflow
+++ This bug was initially created as a clone of Bug #204993 +++
(Description from MITRE)
Multiple heap-based buffer overflows in the (1) str_repeat and (2)
wordwrap functions in ext/standard/string.c in PHP before 5.1.5, when
used on a 64-bit system, have unspecified impact and attack vectors, a
different vulnerability than CVE-2006-1990.
This is the result of using int = size_t * sizt_t where int is 32 bits
and size_t is 64 bits. The odds of exploiting this remotely are slim
as you would probably have to send 2 gigs of data to a broken app.
http://www.php.net/release_5_1_5.php
http://cvs.php.net/viewvc.cgi/php-src/ext/standard/string.c?r1=1.445.2.14.2.10&r2=1.445.2.14.2.11
Discussion:
An advisory has been issued which should help the problem
describe
Bugzilla
CVE-2005-3388 multiple PHP issues (CVE-2006-1990 CVE-2005-3389 CVE-2005-3390)
bugzilla·2006-06-19·CVSS 4.3
CVE-2005-3388 [MEDIUM] CVE-2005-3388 multiple PHP issues (CVE-2006-1990 CVE-2005-3389 CVE-2005-3390)
CVE-2005-3388 multiple PHP issues (CVE-2006-1990 CVE-2005-3389 CVE-2005-3390)
Several security issues were found in the PHP package in Stronghold 4.0:
The wordwrap() PHP function did not properly check for integer overflow in
the way the "break" parameter was handled. An attacker who could control a
string passed to the "break" parameter could cause a heap overflow.
(CVE-2006-1990)
The phpinfo() PHP function did not properly sanitize long strings. This
could allow an attacker to perform cross-site scripting attacks against
sites that had publicly-available PHP scripts that called phpinfo().
(CVE-2006-0996)
A flaw in the way PHP registered global variables during a file upload
request was discovered. A remote attacker could submit a carefully crafted
multipart/form-data POST request tha
Bugzilla
CVE-2006-1990 php security issue
bugzilla·2006-05-05·CVSS 5.0
CVE-2006-1990 [MEDIUM] CVE-2006-1990 php security issue
CVE-2006-1990 php security issue
CVE-2006-1990 - wordwrap integer overflow
An integer overflow issue was discovered in PHP. This issue could
potentially lead to arbitrary code execution as it allows overwriting
an arbitrary section of memory with user supplied data. The
exploitability of this issue will depend on how a user program is
written to accept and process data passed to the wordwrap function.
http://www.infigo.hr/en/in_focus/advisories/INFIGO-2006-04-02
Discussion:
This issue was addressed in Red Hat Application Stack v1 before GA.
Bugzilla
CVE-2006-1990 wordwrap integer overflow
bugzilla·2006-04-26·CVSS 5.0
CVE-2006-1990 [MEDIUM] CVE-2006-1990 wordwrap integer overflow
CVE-2006-1990 wordwrap integer overflow
CVE-2006-1990 php multiple issues (CVE-2006-1991)
CVE-2006-1990 - wordwrap integer overflow
An integer overflow issue was discovered in PHP. This issue could
potentially lead to arbitrary code execution as it allows overwriting
an arbitrary section of memory with user supplied data. The
exploitability of this issue will depend on how a user program is
written to accept and process data passed to the wordwrap function.
CVE-2006-1991 - substr_compare DoS
It is possible to cause an OOB memory read via an improperly issued
call to the substr_compare function. The ability to exploit this
issue will depend on how a user program is written to pass invalid
data to the substr_compare function.
http://www.infigo.hr/en/in_focus/advisories/INFIGO-2006-04-02
Bugzilla
CVE-2006-1990 php multiple issues (CVE-2006-1991)
bugzilla·2006-04-26·CVSS 5.0
CVE-2006-1990 [MEDIUM] CVE-2006-1990 php multiple issues (CVE-2006-1991)
CVE-2006-1990 php multiple issues (CVE-2006-1991)
CVE-2006-1990 php multiple issues (CVE-2006-1991)
CVE-2006-1990 - wordwrap integer overflow
An integer overflow issue was discovered in PHP. This issue could
potentially lead to arbitrary code execution as it allows overwriting
an arbitrary section of memory with user supplied data. The
exploitability of this issue will depend on how a user program is
written to accept and process data passed to the wordwrap function.
CVE-2006-1991 - substr_compare DoS
It is possible to cause an OOB memory read via an improperly issued
call to the substr_compare function. The ability to exploit this
issue will depend on how a user program is written to pass invalid
data to the substr_compare function.
http://www.infigo.hr/en/in_focus/advisories/INFIGO-2
Bugzilla
CVE-2002-2214 PHP segfault imap_fetch_overview() (CVE-2002-2215, CVE-2003-1302, CVE-2003-1303). Also - Multiple PHP vulnerabilities (CVE-2005-2933 CVE-2005-3883 CVE-2006-0208 CVE-2006-0996 CVE-2006-1
bugzilla·2005-12-05·CVSS 5.0
CVE-2002-2214 [MEDIUM] CVE-2002-2214 PHP segfault imap_fetch_overview() (CVE-2002-2215, CVE-2003-1302, CVE-2003-1303). Also - Multiple PHP vulnerabilities (CVE-2005-2933 CVE-2005-3883 CVE-2006-0208 CVE-2006-0996 CVE-2006-1
CVE-2002-2214 PHP segfault imap_fetch_overview() (CVE-2002-2215, CVE-2003-1302, CVE-2003-1303). Also - Multiple PHP vulnerabilities (CVE-2005-2933 CVE-2005-3883 CVE-2006-0208 CVE-2006-0996 CVE-2006-1490 CVE-2006-1990)
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20051012 Netscape/8.0.4
Description of problem:
If a mailbox contains a From: or To: header beginning with an overlong e-mail address, imap_fetch_overview() will segfault when processing that message.
This is one of several vulnerabilities where code in php_imap.c calls rfc822_write_address() to write an e-mail address to a buffer of fixed size without first checking that the e-mail address fits into the buffer.
http://bugs.php.net/bug.php?id=15595
http://bugs.php.net/bug.php
ftp://patches.sgi.com/support/free/security/advisories/20060701-01-Uhttp://docs.info.apple.com/article.html?artnum=304829http://lists.apple.com/archives/security-announce/2006/Nov/msg00001.htmlhttp://rhn.redhat.com/errata/RHSA-2006-0549.htmlhttp://secunia.com/advisories/19803http://secunia.com/advisories/20052http://secunia.com/advisories/20222http://secunia.com/advisories/20269http://secunia.com/advisories/20676http://secunia.com/advisories/21031http://secunia.com/advisories/21050http://secunia.com/advisories/21125http://secunia.com/advisories/21135http://secunia.com/advisories/21252http://secunia.com/advisories/21564http://secunia.com/advisories/21723http://secunia.com/advisories/22225http://secunia.com/advisories/23155http://security.gentoo.org/glsa/glsa-200605-08.xmlhttp://securitytracker.com/id?1015979http://support.avaya.com/elmodocs2/security/ASA-2006-160.htmhttp://support.avaya.com/elmodocs2/security/ASA-2006-175.htmhttp://www.infigo.hr/en/in_focus/advisories/INFIGO-2006-04-02http://www.mandriva.com/security/advisories?name=MDKSA-2006:091http://www.mandriva.com/security/advisories?name=MDKSA-2006:122http://www.novell.com/linux/security/advisories/2006_31_php.htmlhttp://www.redhat.com/support/errata/RHSA-2006-0501.htmlhttp://www.redhat.com/support/errata/RHSA-2006-0568.htmlhttp://www.securityfocus.com/archive/1/447866/100/0/threadedhttp://www.turbolinux.com/security/2006/TLSA-2006-38.txthttp://www.ubuntu.com/usn/usn-320-1http://www.us-cert.gov/cas/techalerts/TA06-333A.htmlhttp://www.vupen.com/english/advisories/2006/1500http://www.vupen.com/english/advisories/2006/4750https://exchange.xforce.ibmcloud.com/vulnerabilities/26001https://issues.rpath.com/browse/RPL-683https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9696ftp://patches.sgi.com/support/free/security/advisories/20060701-01-Uhttp://docs.info.apple.com/article.html?artnum=304829http://lists.apple.com/archives/security-announce/2006/Nov/msg00001.htmlhttp://rhn.redhat.com/errata/RHSA-2006-0549.htmlhttp://secunia.com/advisories/19803http://secunia.com/advisories/20052http://secunia.com/advisories/20222http://secunia.com/advisories/20269http://secunia.com/advisories/20676http://secunia.com/advisories/21031http://secunia.com/advisories/21050http://secunia.com/advisories/21125http://secunia.com/advisories/21135http://secunia.com/advisories/21252http://secunia.com/advisories/21564http://secunia.com/advisories/21723http://secunia.com/advisories/22225http://secunia.com/advisories/23155http://security.gentoo.org/glsa/glsa-200605-08.xmlhttp://securitytracker.com/id?1015979http://support.avaya.com/elmodocs2/security/ASA-2006-160.htmhttp://support.avaya.com/elmodocs2/security/ASA-2006-175.htmhttp://www.infigo.hr/en/in_focus/advisories/INFIGO-2006-04-02http://www.mandriva.com/security/advisories?name=MDKSA-2006:091http://www.mandriva.com/security/advisories?name=MDKSA-2006:122http://www.novell.com/linux/security/advisories/2006_31_php.htmlhttp://www.redhat.com/support/errata/RHSA-2006-0501.htmlhttp://www.redhat.com/support/errata/RHSA-2006-0568.htmlhttp://www.securityfocus.com/archive/1/447866/100/0/threadedhttp://www.turbolinux.com/security/2006/TLSA-2006-38.txthttp://www.ubuntu.com/usn/usn-320-1http://www.us-cert.gov/cas/techalerts/TA06-333A.htmlhttp://www.vupen.com/english/advisories/2006/1500http://www.vupen.com/english/advisories/2006/4750https://exchange.xforce.ibmcloud.com/vulnerabilities/26001https://issues.rpath.com/browse/RPL-683https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9696
2006-04-24
Published