CVE-2017-11362
Publication date 17 July 2017
Last updated 25 August 2025
Ubuntu priority
Description
In PHP 7.x before 7.0.21 and 7.1.x before 7.1.7, ext/intl/msgformat/msgformat_parse.c does not restrict the locale length, which allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) or possibly have unspecified other impact within International Components for Unicode (ICU) for C/C++ via a long first argument to the msgfmt_parse_message function.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| php5 | ||
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty |
Fixed 5.5.9+dfsg-1ubuntu4.22
|
|
| php7.0 | ||
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial |
Fixed 7.0.22-0ubuntu0.16.04.1
|
|
| 14.04 LTS trusty | Not in release | |
| php7.1 | ||
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release |
Notes
seth-arnold
PHP team disputes this CVE's security relevance
mdeslaur
php5 looks to be affected by the issue also reproducer doesn't work on any release
Patch details
| Package | Patch details |
|---|---|
| php7.0 | |
| php7.1 |
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
9.8 · Critical
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-3382-1
- PHP vulnerabilities
- 10 August 2017
- USN-3566-2
- PHP vulnerabilities
- 22 May 2019