CVE-2011-0708
published 2011-03-20CVE-2011-0708: exif.c in the Exif extension in PHP before 5.3.6 on 64-bit platforms performs an incorrect cast, which allows remote attackers to cause a denial of service…
PriorityP425medium4.3CVSS 2.0
AVNACMAuNCNINAP
EXPLOIT
EPSS
9.86%
95.0th percentile
exif.c in the Exif extension in PHP before 5.3.6 on 64-bit platforms performs an incorrect cast, which allows remote attackers to cause a denial of service (application crash) via an image with a crafted Image File Directory (IFD) that triggers a buffer over-read.
Affected
107 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| php | php | <= 5.3.5 | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:N/A:P
vendor_ubuntu5.0MEDIUM
vendor_redhat4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
php: integer overflow in exif_process_IFD_TAG() may lead to DoS or arbitrary memory disclosure
vendor_redhat·2011-10-27·CVSS 4.3
CVE-2011-4566 [MEDIUM] CWE-190 php: integer overflow in exif_process_IFD_TAG() may lead to DoS or arbitrary memory disclosure
php: integer overflow in exif_process_IFD_TAG() may lead to DoS or arbitrary memory disclosure
Integer overflow in the exif_process_IFD_TAG function in exif.c in the exif extension in PHP 5.4.0beta2 on 32-bit platforms allows remote attackers to read the contents of arbitrary memory locations or cause a denial of service via a crafted offset_val value in an EXIF header in a JPEG file, a different vulnerability than CVE-2011-0708.
Ubuntu
PHP Regressions
vendor_ubuntu·2011-05-05·CVSS 5.0
CVE-2010-4697 [MEDIUM] PHP Regressions
Title: PHP Regressions
Summary: USN 1126-1 introduced two regressions in PHP.
USN 1126-1 fixed several vulnerabilities in PHP. The fix for
CVE-2010-4697 introduced an incorrect reference counting regression
in the Zend engine that caused the PHP interpreter to segfault. This
regression affects Ubuntu 6.06 LTS and Ubuntu 8.04 LTS.
The fixes for CVE-2011-1072 and CVE-2011-1144 introduced a regression
in the PEAR installer that prevented it from creating its cache
directory and reporting errors correctly.
We apologize for the inconvenience.
Original advisory details:
Stephane Chazelas discovered that the /etc/cron.d/php5 cron job for
PHP 5.3.5 allows local users to delete arbitrary files via a symlink
attack on a directory under /var/lib/php5/. (CVE-2011-0441)
Raphael Geisert and Dan R
Ubuntu
PHP vulnerabilities
vendor_ubuntu·2011-04-29·CVSS 5.0
CVE-2011-0421 [MEDIUM] PHP vulnerabilities
Title: PHP vulnerabilities
Summary: Multiple vulnerabilities in PHP.
Stephane Chazelas discovered that the /etc/cron.d/php5 cron job for
PHP 5.3.5 allows local users to delete arbitrary files via a symlink
attack on a directory under /var/lib/php5/. (CVE-2011-0441)
Raphael Geisert and Dan Rosenberg discovered that the PEAR installer
allows local users to overwrite arbitrary files via a symlink attack on
the package.xml file, related to the (1) download_dir, (2) cache_dir,
(3) tmp_dir, and (4) pear-build-download directories. (CVE-2011-1072,
CVE-2011-1144)
Ben Schmidt discovered that a use-after-free vulnerability in the PHP
Zend engine could allow an attacker to cause a denial of service (heap
memory corruption) or possibly execute arbitrary code. (CVE-2010-4697)
Martin Barbella disco
Red Hat
php: buffer over-read in Exif extension
vendor_redhat·2011-02-14·CVSS 4.3
CVE-2011-0708 [MEDIUM] php: buffer over-read in Exif extension
php: buffer over-read in Exif extension
exif.c in the Exif extension in PHP before 5.3.6 on 64-bit platforms performs an incorrect cast, which allows remote attackers to cause a denial of service (application crash) via an image with a crafted Image File Directory (IFD) that triggers a buffer over-read.
GHSA
GHSA-hp65-4pq5-qqw7: Integer overflow in the exif_process_IFD_TAG function in exif
ghsa_unreviewed·2022-05-17·CVSS 4.3
CVE-2011-4566 [MEDIUM] GHSA-hp65-4pq5-qqw7: Integer overflow in the exif_process_IFD_TAG function in exif
Integer overflow in the exif_process_IFD_TAG function in exif.c in the exif extension in PHP 5.4.0beta2 on 32-bit platforms allows remote attackers to read the contents of arbitrary memory locations or cause a denial of service via a crafted offset_val value in an EXIF header in a JPEG file, a different vulnerability than CVE-2011-0708.
GHSA
GHSA-cv97-45j6-8wc2: exif
ghsa_unreviewed·2022-05-14
CVE-2011-0708 [MEDIUM] CWE-119 GHSA-cv97-45j6-8wc2: exif
exif.c in the Exif extension in PHP before 5.3.6 on 64-bit platforms performs an incorrect cast, which allows remote attackers to cause a denial of service (application crash) via an image with a crafted Image File Directory (IFD) that triggers a buffer over-read.
No detection rules found.
Bugzilla
CVE-2011-4566 php: integer overflow in exif_process_IFD_TAG() may lead to DoS or arbitrary memory disclosure
bugzilla·2011-11-29·CVSS 4.3
CVE-2011-4566 [MEDIUM] CVE-2011-4566 php: integer overflow in exif_process_IFD_TAG() may lead to DoS or arbitrary memory disclosure
CVE-2011-4566 php: integer overflow in exif_process_IFD_TAG() may lead to DoS or arbitrary memory disclosure
Common Vulnerabilities and Exposures assigned an identifier CVE-2011-4566 to
the following vulnerability:
Name: CVE-2011-4566
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4566
Assigned: 20111128
Reference: https://bugs.php.net/bug.php?id=60150
Integer overflow in the exif_process_IFD_TAG function in exif.c in the
exif extension in PHP 5.4.0beta2 on 32-bit platforms allows remote
attackers to read the contents of arbitrary memory locations or cause
a denial of service via a crafted offset_val value in an EXIF header
in a JPEG file, a different vulnerability than CVE-2011-0708.
Although the CVE description specifically indicates 5.4.0beta2 is affected, it does look
Bugzilla
CVE-2011-0708 php: buffer over-read in Exif extension
bugzilla·2011-02-28·CVSS 4.3
CVE-2011-0708 [MEDIUM] CVE-2011-0708 php: buffer over-read in Exif extension
CVE-2011-0708 php: buffer over-read in Exif extension
An insufficient input validation flaws was discovered in the PHP's Exif extension that allows extracting Exif data from image files:
http://thread.gmane.org/gmane.comp.security.oss.general/4198
An integer overflow causes PHP to not validate offsets read from the file properly, causing it to read behind the end of the buffer. This leads to PHP interpreter crash when reading specially crafted Exif data.
Before the code over-reading the buffer is reached, PHP needs to allocate a large amount of memory (based on the components / length value read from the file). This attempt triggers the integer overflow check in safe_emalloc on 32bit platforms and requires the memory_limit for the script to be set to -1 (i.e. no limit is enforced by PHP
http://bugs.php.net/bug.php?id=54002http://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2011-April/057709.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2011-April/057710.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2011-March/056642.htmlhttp://marc.info/?l=bugtraq&m=133469208622507&w=2http://openwall.com/lists/oss-security/2011/02/14/1http://openwall.com/lists/oss-security/2011/02/16/7http://rhn.redhat.com/errata/RHSA-2012-0071.htmlhttp://securityreason.com/securityalert/8114http://support.apple.com/kb/HT5002http://svn.php.net/viewvc?view=revision&revision=308316http://www.debian.org/security/2011/dsa-2266http://www.exploit-db.com/exploits/16261/http://www.mandriva.com/security/advisories?name=MDVSA-2011:052http://www.mandriva.com/security/advisories?name=MDVSA-2011:053http://www.php.net/ChangeLog-5.phphttp://www.php.net/archive/2011.phphttp://www.php.net/releases/5_3_6.phphttp://www.redhat.com/support/errata/RHSA-2011-1423.htmlhttp://www.securityfocus.com/bid/46365http://www.vupen.com/english/advisories/2011/0744http://www.vupen.com/english/advisories/2011/0764http://www.vupen.com/english/advisories/2011/0890https://bugzilla.redhat.com/show_bug.cgi?id=680972http://bugs.php.net/bug.php?id=54002http://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2011-April/057709.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2011-April/057710.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2011-March/056642.htmlhttp://marc.info/?l=bugtraq&m=133469208622507&w=2http://openwall.com/lists/oss-security/2011/02/14/1http://openwall.com/lists/oss-security/2011/02/16/7http://rhn.redhat.com/errata/RHSA-2012-0071.htmlhttp://securityreason.com/securityalert/8114http://support.apple.com/kb/HT5002http://svn.php.net/viewvc?view=revision&revision=308316http://www.debian.org/security/2011/dsa-2266http://www.exploit-db.com/exploits/16261/http://www.mandriva.com/security/advisories?name=MDVSA-2011:052http://www.mandriva.com/security/advisories?name=MDVSA-2011:053http://www.php.net/ChangeLog-5.phphttp://www.php.net/archive/2011.phphttp://www.php.net/releases/5_3_6.phphttp://www.redhat.com/support/errata/RHSA-2011-1423.htmlhttp://www.securityfocus.com/bid/46365http://www.vupen.com/english/advisories/2011/0744http://www.vupen.com/english/advisories/2011/0764http://www.vupen.com/english/advisories/2011/0890https://bugzilla.redhat.com/show_bug.cgi?id=680972
2011-03-20
Published