CVE-2014-4049

php: heap-based buffer overflow in DNS TXT record parsing

Severity Score

9.1

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Heap-based buffer overflow in the php_parserr function in ext/standard/dns.c in PHP 5.6.0beta4 and earlier allows remote servers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted DNS TXT record, related to the dns_get_record function.

Desbordamiento de buffer basado en memoria dinámica en la función php_parserr en ext/standard/dns.c en PHP 5.6.0beta4 y anteriores permite a servidores remotos causar una denegación de servicio (caída) y posiblemente ejecutar código arbitrario a través de un registro DNS TXT manipulado, relacionado con la función dns_get_record.

A heap-based buffer overflow flaw was found in the way PHP parsed DNS TXT records. A malicious DNS server or a man-in-the-middle attacker could possibly use this flaw to execute arbitrary code as the PHP interpreter if a PHP application used the dns_get_record() function to perform a DNS query.

The unserialize() function in PHP before 5.4.30 and 5.5.14 has a Type Confusion issue related to the SPL ArrayObject and SPLObjectStorage Types. It was discovered that PHP is vulnerable to a heap-based buffer overflow in the DNS TXT record parsing. A malicious server or man-in-the-middle attacker could possibly use this flaw to execute arbitrary code as the PHP interpreter if a PHP application uses dns_get_record() to perform a DNS query. A flaw was found in the way file parsed property information from Composite Document Files (CDF) files, where the mconvert() function did not correctly compute the truncated pascal string size. Multiple flaws were found in the way file parsed property information from Composite Document Files files, due to insufficient boundary checks on buffers. PHP contains a bundled copy of the file utility's libmagic library, so it was vulnerable to this issue. It has been updated to versions 5.5.14, which fix this issue and several other bugs. The phpinfo() function in PHP before 5.4.30 and 5.5.14 has a Type Confusion issue that can cause it to leak arbitrary process memory. Additionally, php-apc has been rebuilt against the updated php packages and the php-timezonedb packages has been upgraded to the 2014.5 version.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

High

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2014-06-12 CVE Reserved
2014-06-17 CVE Published
2024-08-06 CVE Updated
2025-04-13 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-122: Heap-based Buffer Overflow

CAPEC

References (26)

URL	Tag	Source
http://secunia.com/advisories/59270	Third Party Advisory
http://secunia.com/advisories/59329	Third Party Advisory
http://secunia.com/advisories/59418	Third Party Advisory
http://secunia.com/advisories/59496	Third Party Advisory
http://secunia.com/advisories/59513	Third Party Advisory
http://secunia.com/advisories/59652	Third Party Advisory
http://secunia.com/advisories/60998	Third Party Advisory
http://support.apple.com/kb/HT6443	Third Party Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21683486	Third Party Advisory
http://www.openwall.com/lists/oss-security/2014/06/13/4	Mailing List
http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html	Third Party Advisory
http://www.securityfocus.com/bid/68007	Third Party Advisory
http://www.securitytracker.com/id/1030435	Third Party Advisory
https://support.apple.com/HT204659	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://github.com/php/php-src/commit/b34d7849ed90ced9345f8ea1c59bc8d101c18468	2022-08-29

URL	Date	SRC
http://lists.apple.com/archives/security-announce/2015/Apr/msg00001.html	2022-08-29
http://lists.opensuse.org/opensuse-security-announce/2014-07/msg00001.html	2022-08-29
http://lists.opensuse.org/opensuse-security-announce/2014-07/msg00002.html	2022-08-29
http://lists.opensuse.org/opensuse-updates/2014-06/msg00051.html	2022-08-29
http://lists.opensuse.org/opensuse-updates/2014-07/msg00032.html	2022-08-29
http://marc.info/?l=bugtraq&m=141017844705317&w=2	2022-08-29
http://rhn.redhat.com/errata/RHSA-2014-1765.html	2022-08-29
http://rhn.redhat.com/errata/RHSA-2014-1766.html	2022-08-29
http://www.debian.org/security/2014/dsa-2961	2022-08-29
https://bugzilla.redhat.com/show_bug.cgi?id=1108447	2014-10-30
https://access.redhat.com/security/cve/CVE-2014-4049	2014-10-30

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Opensuse Search vendor "Opensuse"		Opensuse Search vendor "Opensuse" for product "Opensuse"				11.3 Search vendor "Opensuse" for product "Opensuse" and version "11.3"		-		Affected
Php Search vendor "Php"		Php Search vendor "Php" for product "Php"				>= 5.3.0 < 5.3.29 Search vendor "Php" for product "Php" and version " >= 5.3.0 < 5.3.29"		-		Affected
Php Search vendor "Php"		Php Search vendor "Php" for product "Php"				>= 5.4.0 < 5.4.30 Search vendor "Php" for product "Php" and version " >= 5.4.0 < 5.4.30"		-		Affected
Php Search vendor "Php"		Php Search vendor "Php" for product "Php"				>= 5.5.0 < 5.5.14 Search vendor "Php" for product "Php" and version " >= 5.5.0 < 5.5.14"		-		Affected
Php Search vendor "Php"		Php Search vendor "Php" for product "Php"				5.6.0 Search vendor "Php" for product "Php" and version "5.6.0"		alpha1		Affected
Php Search vendor "Php"		Php Search vendor "Php" for product "Php"				5.6.0 Search vendor "Php" for product "Php" and version "5.6.0"		alpha2		Affected
Php Search vendor "Php"		Php Search vendor "Php" for product "Php"				5.6.0 Search vendor "Php" for product "Php" and version "5.6.0"		alpha3		Affected
Php Search vendor "Php"		Php Search vendor "Php" for product "Php"				5.6.0 Search vendor "Php" for product "Php" and version "5.6.0"		alpha4		Affected
Php Search vendor "Php"		Php Search vendor "Php" for product "Php"				5.6.0 Search vendor "Php" for product "Php" and version "5.6.0"		alpha5		Affected
Php Search vendor "Php"		Php Search vendor "Php" for product "Php"				5.6.0 Search vendor "Php" for product "Php" and version "5.6.0"		beta1		Affected
Php Search vendor "Php"		Php Search vendor "Php" for product "Php"				5.6.0 Search vendor "Php" for product "Php" and version "5.6.0"		beta2		Affected
Php Search vendor "Php"		Php Search vendor "Php" for product "Php"				5.6.0 Search vendor "Php" for product "Php" and version "5.6.0"		beta3		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				7.0 Search vendor "Debian" for product "Debian Linux" and version "7.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0"		-		Affected