CVE-2013-6712: Buffer Overflow
First published: Thu Nov 28 2013(Updated: )
The scan function in ext/date/lib/parse_iso_intervals.c in PHP through 5.5.6 does not properly restrict creation of DateInterval objects, which might allow remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted interval specification.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| PHP | <5.3.29 | |
| PHP | >=5.4.0<5.4.24 | |
| PHP | >=5.5.0<5.5.8 | |
| Apple iOS and macOS | <=10.10.2 | |
| openSUSE | =11.4 | |
| openSUSE | =12.2 | |
| openSUSE | =12.3 | |
| openSUSE | =13.1 | |
| Ubuntu | =10.04 | |
| Ubuntu | =12.04 | |
| Ubuntu | =12.10 | |
| Ubuntu | =13.04 | |
| Ubuntu | =13.10 | |
| Debian Linux | =6.0 | |
| Debian Linux | =7.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://git.php.net/?p=php-src.git;a=commit;h=12fe4e90be7bfa2a763197079f68f5568a14e071
- http://lists.apple.com/archives/security-announce/2015/Apr/msg00001.html
- http://lists.opensuse.org/opensuse-updates/2013-12/msg00125.html
- http://lists.opensuse.org/opensuse-updates/2013-12/msg00126.html
- http://rhn.redhat.com/errata/RHSA-2014-1765.html
- http://www.debian.org/security/2013/dsa-2816
- http://www.ubuntu.com/usn/USN-2055-1
- https://bugs.php.net/bug.php?id=66060
- https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04463322
- https://support.apple.com/HT204659
- http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=12fe4e90be7bfa2a763197079f68f5568a14e071
Frequently Asked Questions
What is the severity of CVE-2013-6712?
CVE-2013-6712 is classified as a moderate severity vulnerability due to its potential to cause denial of service through heap-based buffer over-read.
How do I fix CVE-2013-6712?
To remediate CVE-2013-6712, you should upgrade PHP to version 5.5.6 or later, or to any version above the affected versions in the 5.4.x and 5.3.x series.
Which versions of PHP are affected by CVE-2013-6712?
CVE-2013-6712 affects PHP versions prior to 5.5.6 as well as specific versions within the 5.4.x and 5.3.x series.
Can CVE-2013-6712 be exploited remotely?
Yes, CVE-2013-6712 can be exploited remotely by attackers using crafted interval specifications.
What kind of impact can CVE-2013-6712 have on my system?
The impact of CVE-2013-6712 is a potential denial of service condition that could lead to application crashes due to memory issues.
- agent/type
- agent/remedy
- agent/weakness
- agent/severity
- agent/author
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/last-modified-date
- agent/event
- agent/first-publish-date
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/php
- canonical/php
- version/php/5.4.0
- version/php/5.5.0
- vendor/apple
- canonical/apple ios and macos
- version/apple ios and macos/10.10.2
- vendor/opensuse
- canonical/opensuse
- version/opensuse/11.4
- version/opensuse/12.2
- version/opensuse/12.3
- version/opensuse/13.1
- vendor/canonical
- canonical/ubuntu
- version/ubuntu/10.04
- version/ubuntu/12.04
- version/ubuntu/12.10
- version/ubuntu/13.04
- version/ubuntu/13.10
- vendor/debian
- canonical/debian linux
- version/debian linux/6.0
- version/debian linux/7.0