[php-maint] Bug#783099: php5: Fileinfo on specific file causes spurious OOM and/or segfault

[Henri Salo]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Source: php5
Version: 5.6.7+dfsg-1
Severity: grave
Tags: security, upstream, fixed-upstream

Hi,

the following vulnerability was published for PHP5,

"""
When calling finfo::file() or finfo::buffer() with a crafted string, PHP will
crash by either segfaulting or trying to allocate an large amount of memory
(4GiB).

This was found in the wild when a user uploaded a file (running finfo on
arbitrary files uploaded by users is one of its main use cases.). I've since
anonymised the file, and made it more minimal. At this stage, very small changes
to the string make it produce different behaviour - removing the remaining 'a',
's', or 'y' characters, for instance, will allow finfo to process it fine.
"""

For further information see:
  https://bugs.php.net/bug.php?id=68819
  https://git.php.net/?p=php-src.git;a=commitdiff;h=f938112c495b0d26572435c0be73ac0bfe642ecd

- -- 
Henri Salo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJVN11hAAoJECet96ROqnV0NFwP/1WyM6/jYhMkuyyjIDuGJLR6
5agci0HcM64R5It7Dvoy7HPtP431Qg5XvtJBn2P5YRq9Kgh1g0T7NeA4jbQIQEQs
lj/zO4zfBSnhCvkCbsqhLDYDASx1M2esXgfXy4EDejBPvVMSPtSr3GjVt9Ptufty
/GgA3FRf+XDDNNDebGsDVvkKH5pAvK7QN8R8UsmG8uiEYP9+vdlwdAK5pykrWsGa
yZEm7x/OXjETTnjIoz+0p89ExFBBuNyryhMQGVfiJxivTMHaHMBuZ/2BlBhIM0S2
VTf42JtlLTmG6NZW71OplY2kN1f+p+ADXy/OUtwbV700tuk58wIwt+r5Ymqa9wmA
crO2xyNm2CgA0K6Vew0vEYBWVc7fFQQuGhQX6lKOwng3OXaM3Xo9BzEvrOGVrTgz
sw7ilWb4kfUTjtZoAYVOqL0YTafMi3CzjmH3MzeFMyxMRtYlqgc7S+KrqJXWMX2A
TlqA2WhAOMIHNG8xxuXdwlzzVRoPakY0Jkgx5XdUlU9QdNmeIljcxdPAIXHAeEAj
IPSBQFUjAZABB7GWKgZcyJv6p2Z9nc5GkQ9RYm297QtGbPVYGUfmBZsJOloJfXIF
V4dRZWkVoonbaC5WtjaGPyOIHnl35AZ7Hl4MkQ5JMzScbN3u1BooY1+NXNBsHTPL
JLN2O58YQiTodP1AZWfx
=y0h8
-----END PGP SIGNATURE-----