A type confusion vulnerability in the merge_param() function of php_http_params.c in PHPs pecl-http extension 3.1.0beta2 (PHP 7) and earlier as well as 2.6.0beta2 (PHP 5) and earlier allows attackers to crash PHP and possibly execute arbitrary code via crafted HTTP requests.
Weakness
The product does not correctly convert an object, resource, or structure from one type to a different type.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Ext-http | Php | * | 2.5.6 (including) |
| Ext-http | Php | 3.0.0 (including) | 3.0.1 (including) |
| Ext-http | Php | 2.6.0 (including) | 2.6.0 (including) |
| Ext-http | Php | 2.6.0-beta1 (including) | 2.6.0-beta1 (including) |
| Ext-http | Php | 2.6.0-beta2 (including) | 2.6.0-beta2 (including) |
| Ext-http | Php | 2.6.0-rc1 (including) | 2.6.0-rc1 (including) |
| Ext-http | Php | 3.1.0 (including) | 3.1.0 (including) |
| Ext-http | Php | 3.1.0-beta1 (including) | 3.1.0-beta1 (including) |
| Ext-http | Php | 3.1.0-beta2 (including) | 3.1.0-beta2 (including) |
| Ext-http | Php | 3.1.0-rc1 (including) | 3.1.0-rc1 (including) |
| Php-pecl-http | Ubuntu | disco | * |
| Php-pecl-http | Ubuntu | esm-apps/xenial | * |
| Php-pecl-http | Ubuntu | trusty | * |
| Php-pecl-http | Ubuntu | upstream | * |
| Php-pecl-http | Ubuntu | xenial | * |
References
- https://bugs.php.net/bug.php?id=73055
- https://bugs.php.net/bug.php?id=73055\u0026edit=1
- https://github.com/m6w6/ext-http/commit/17137d4ab1ce81a2cee0fae842340a344ef3da83
- https://lists.debian.org/debian-lts-announce/2019/09/msg00022.html
- https://bugs.php.net/bug.php?id=73055
- https://bugs.php.net/bug.php?id=73055\u0026edit=1
- https://github.com/m6w6/ext-http/commit/17137d4ab1ce81a2cee0fae842340a344ef3da83
- https://lists.debian.org/debian-lts-announce/2019/09/msg00022.html