• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: PHP ZendEngine ECalloc Integer Overflow Vulnerability

Severity: HIGH

Description:

PHP is a general-purpose scripting language that is especially suited for web development and can be embedded into HTML.

PHP is prone to an integer-overflow vulnerability.

The vulnerability occurs because the application fails to properly bounds-check user-supplied data. The issue affects the 'ecalloc' function of 'zend_alloc.c', a component of 'ZendEngine2'; specifically, when the 'nmemb + size' parameters of '_ecalloc' overflow a 'size_t' integer value when multiplied together.

An attacker can exploit this vulnerability to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely cause denial-of-service conditions.

Affected Products:

• Apple Mac OS X 10.0.0
• Apple Mac OS X 10.0.1
• Apple Mac OS X 10.0.2
• Apple Mac OS X 10.0.3
• Apple Mac OS X 10.0.4
• Apple Mac OS X 10.1.0
• Apple Mac OS X 10.1.0
• Apple Mac OS X 10.1.1
• Apple Mac OS X 10.1.2
• Apple Mac OS X 10.1.3
• Apple Mac OS X 10.1.4
• Apple Mac OS X 10.1.5
• Avaya CVLAN
• Avaya Integrated Management
• Avaya Integrated Management 2.1.0
• Avaya Messaging Storage Server
• Avaya Messaging Storage Server MM3.0
• Avaya S8300
• Avaya S8300 R2.0.0
• Avaya S8300 R2.0.1
• Avaya S8500
• Avaya S8500 R2.0.0
• Avaya S8500 R2.0.1
• Avaya S8700 R2.0.0
• Avaya S8700 R2.0.1
• Avaya S8710 R2.0.0
• Avaya S8710 R2.0.1
• Avaya SIP Enablement Services 3.1.1
• Caldera OpenLinux Server 3.1.0
• Caldera OpenLinux Server 3.1.1
• Caldera OpenLinux Workstation 3.1.0
• Caldera OpenLinux Workstation 3.1.1
• Compaq Compaq Secure Web Server PHP 1.0.0
• Conectiva Linux 5.0.0
• Conectiva Linux 5.1.0
• Conectiva Linux 6.0.0
• Conectiva Linux 7.0.0
• Conectiva Linux ecommerce
• Conectiva Linux graficas
• Debian Linux 2.2.0
• Debian Linux 2.2.0 68k
• Debian Linux 2.2.0 IA-32
• Debian Linux 2.2.0 alpha
• Debian Linux 2.2.0 arm
• Debian Linux 2.2.0 powerpc
• Debian Linux 2.2.0 sparc
• Debian Linux 3.0.0
• Debian Linux 3.0.0 alpha
• Debian Linux 3.0.0 arm
• Debian Linux 3.0.0 hppa
• Debian Linux 3.0.0 ia-32
• Debian Linux 3.0.0 ia-64
• Debian Linux 3.0.0 m68k
• Debian Linux 3.0.0 mips
• Debian Linux 3.0.0 mipsel
• Debian Linux 3.0.0 ppc
• Debian Linux 3.0.0 s/390
• Debian Linux 3.0.0 sparc
• EnGarde Secure Linux 1.0.1
• Gentoo Linux
• Gentoo Linux 1.2.0
• Gentoo Linux 1.4.0 _rc1
• Guardian Digital Engarde Secure Linux 1.0.1
• HP Secure OS software for Linux 1.0.0
• Linux kernel 2.4.19
• Linux kernel 2.4.21
• MandrakeSoft Corporate Server 1.0.1
• MandrakeSoft Corporate Server 2.1.0
• MandrakeSoft Corporate Server 2.1.0 x86_64
• MandrakeSoft Corporate Server 3.0.0
• MandrakeSoft Corporate Server 3.0.0 x86_64
• MandrakeSoft Linux Mandrake 10.0.0
• MandrakeSoft Linux Mandrake 10.0.0 amd64
• MandrakeSoft Linux Mandrake 10.1.0
• MandrakeSoft Linux Mandrake 10.1.0 x86_64
• MandrakeSoft Linux Mandrake 2006.0.0
• MandrakeSoft Linux Mandrake 2006.0.0 x86_64
• MandrakeSoft Linux Mandrake 2007.0
• MandrakeSoft Linux Mandrake 2007.0 x86_64
• MandrakeSoft Linux Mandrake 7.1.0
• MandrakeSoft Linux Mandrake 7.2.0
• MandrakeSoft Linux Mandrake 8.0.0
• MandrakeSoft Linux Mandrake 8.0.0 ppc
• MandrakeSoft Linux Mandrake 8.1.0
• MandrakeSoft Linux Mandrake 8.1.0 ia64
• MandrakeSoft Linux Mandrake 8.2.0
• MandrakeSoft Linux Mandrake 8.2.0 ppc
• MandrakeSoft Linux Mandrake 9.0.0
• MandrakeSoft Linux Mandrake 9.1.0
• MandrakeSoft Linux Mandrake 9.1.0 ppc
• MandrakeSoft Multi Network Firewall 2.0.0
• MandrakeSoft Single Network Firewall 7.2.0
• OpenPKG OpenPKG 1.1.0
• OpenPKG OpenPKG Current
• OpenPKG OpenPKG Stable
• PHP PHP 3.0.0.10
• PHP PHP 3.0.0.11
• PHP PHP 3.0.0.12
• PHP PHP 3.0.0.13
• PHP PHP 3.0.0.16
• PHP PHP 3.0.00
• PHP PHP 3.0.1
• PHP PHP 3.0.10
• PHP PHP 3.0.11
• PHP PHP 3.0.12
• PHP PHP 3.0.13
• PHP PHP 3.0.14
• PHP PHP 3.0.15
• PHP PHP 3.0.16
• PHP PHP 3.0.17
• PHP PHP 3.0.18
• PHP PHP 3.0.2
• PHP PHP 3.0.3
• PHP PHP 3.0.4
• PHP PHP 3.0.5
• PHP PHP 3.0.6
• PHP PHP 3.0.7
• PHP PHP 3.0.8
• PHP PHP 3.0.9
• PHP PHP 4.0.0 0
• PHP PHP 4.0.1
• PHP PHP 4.0.1 pl1
• PHP PHP 4.0.1 pl2
• PHP PHP 4.0.2
• PHP PHP 4.0.3
• PHP PHP 4.0.3 pl1
• PHP PHP 4.0.4
• PHP PHP 4.0.5
• PHP PHP 4.0.6
• PHP PHP 4.0.7
• PHP PHP 4.0.7 RC1
• PHP PHP 4.0.7 RC2
• PHP PHP 4.0.7 RC3
• PHP PHP 4.1.0 .0
• PHP PHP 4.1.1
• PHP PHP 4.1.2
• PHP PHP 4.2.0 -dev
• PHP PHP 4.2.0 .0
• PHP PHP 4.2.1
• PHP PHP 4.2.2
• PHP PHP 4.2.3
• PHP PHP 4.3.0
• PHP PHP 4.3.1
• PHP PHP 4.3.10
• PHP PHP 4.3.11
• PHP PHP 4.3.2
• PHP PHP 4.3.3
• PHP PHP 4.3.4
• PHP PHP 4.3.5
• PHP PHP 4.3.6
• PHP PHP 4.3.7
• PHP PHP 4.3.8
• PHP PHP 4.3.9
• PHP PHP 4.4.0 .0
• PHP PHP 4.4.1
• PHP PHP 4.4.2
• PHP PHP 4.4.3
• PHP PHP 4.4.4
• PHP PHP 5.0.0 .0
• PHP PHP 5.0.0 candidate 1
• PHP PHP 5.0.0 candidate 2
• PHP PHP 5.0.0 candidate 3
• PHP PHP 5.0.1
• PHP PHP 5.0.2
• PHP PHP 5.0.3
• PHP PHP 5.0.4
• PHP PHP 5.0.5
• PHP PHP 5.1.0
• PHP PHP 5.1.1
• PHP PHP 5.1.2
• PHP PHP 5.1.3
• PHP PHP 5.1.3-RC1
• PHP PHP 5.1.4
• PHP PHP 5.1.5
• PHP PHP 5.1.6
• PHP PHP 5.2
• RedHat Advanced Workstation for the Itanium Processor 2.1.0
• RedHat Advanced Workstation for the Itanium Processor 2.1.0 IA64
• RedHat Enterprise Linux AS 2.1
• RedHat Enterprise Linux AS 2.1 IA64
• RedHat Enterprise Linux ES 2.1
• RedHat Enterprise Linux ES 2.1 IA64
• RedHat Enterprise Linux WS 2.1
• RedHat Enterprise Linux WS 2.1 IA64
• RedHat Fedora Core3
• RedHat Fedora Core5
• RedHat Linux 6.2.0
• RedHat Linux 6.2.0 alpha
• RedHat Linux 6.2.0 i386
• RedHat Linux 6.2.0 sparc
• RedHat Linux 7.0.0
• RedHat Linux 7.0.0 alpha
• RedHat Linux 7.0.0 i386
• RedHat Linux 7.1.0
• RedHat Linux 7.1.0 alpha
• RedHat Linux 7.1.0 i386
• RedHat Linux 7.1.0 ia64
• RedHat Linux 7.2.0
• RedHat Linux 7.2.0 i386
• RedHat Linux 7.2.0 ia64
• RedHat Linux 8.0.0
• RedHat Linux 8.0.0 i386
• S.u.S.E. Linux 6.4.0
• S.u.S.E. Linux 6.4.0 alpha
• S.u.S.E. Linux 6.4.0 i386
• S.u.S.E. Linux 6.4.0 ppc
• S.u.S.E. Linux 7.0.0
• S.u.S.E. Linux 7.0.0 alpha
• S.u.S.E. Linux 7.0.0 i386
• S.u.S.E. Linux 7.0.0 ppc
• S.u.S.E. Linux 7.0.0 sparc
• S.u.S.E. Linux 7.1.0
• S.u.S.E. Linux 7.1.0 alpha
• S.u.S.E. Linux 7.1.0 ppc
• S.u.S.E. Linux 7.1.0 sparc
• S.u.S.E. Linux 7.1.0 x86
• S.u.S.E. Linux 7.2.0
• S.u.S.E. Linux 7.2.0 i386
• S.u.S.E. Linux 7.3.0
• S.u.S.E. Linux 7.3.0 i386
• S.u.S.E. Linux 7.3.0 ppc
• S.u.S.E. Linux 7.3.0 sparc
• S.u.S.E. Linux 8.0.0
• S.u.S.E. Linux 8.0.0 i386
• S.u.S.E. Linux 8.1.0
• S.u.S.E. Linux Enterprise Server 8
• S.u.S.E. Linux Openexchange Server
• S.u.S.E. Linux Personal 10.1
• S.u.S.E. Linux Personal 8.2.0
• S.u.S.E. Linux Personal 9.0.0
• S.u.S.E. Linux Personal 9.0.0 x86_64
• S.u.S.E. Linux Personal 9.1.0
• S.u.S.E. Linux Personal 9.2.0
• S.u.S.E. Linux Personal 9.2.0 x86_64
• S.u.S.E. Linux Personal 9.3.0
• S.u.S.E. Linux Personal 9.3.0 x86_64
• S.u.S.E. Linux Professional 10.0.0
• S.u.S.E. Linux Professional 10.1
• S.u.S.E. Linux Professional 9.0.0 x86_64
• S.u.S.E. Linux Professional 9.1.0
• S.u.S.E. Linux Professional 9.1.0 x86_64
• S.u.S.E. Linux Professional 9.2.0
• S.u.S.E. Linux Professional 9.2.0 x86_64
• S.u.S.E. Linux Professional 9.3.0
• S.u.S.E. Linux Professional 9.3.0 x86_64
• S.u.S.E. Novell Linux POS 9
• S.u.S.E. Open-Enterprise-Server
• S.u.S.E. SLE SDK 10
• S.u.S.E. SLE SDK 9
• S.u.S.E. SUSE LINUX Retail Solution 8.0.0
• S.u.S.E. SuSE Linux Openexchange Server 4.0.0
• S.u.S.E. SuSE Linux School Server for i386
• S.u.S.E. SuSE Linux Standard Server 8.0.0
• S.u.S.E. UnitedLinux 1.0.0
• Slackware Linux 8.1.0
• Sun 2800 Workgroup NTT/KOBE 2800WGJ-KOBE 0.0.0
• Sun Cobalt Control Station 4100CS
• Sun Cobalt Qube3 4000WG
• Sun Cobalt Qube3 Japanese 4000WGJ
• Sun Cobalt Qube3 Japanese w/ Caching and RAID 4100WGJ
• Sun Cobalt Qube3 Japanese w/Caching 4010WGJ
• Sun Cobalt Qube3 w/ Caching and RAID 4100WG
• Sun Cobalt Qube3 w/Caching 4010WG
• Sun Cobalt RaQ 550
• Sun Cobalt RaQ XTR 3500R
• Sun Cobalt RaQ XTR Japanese 3500R-ja
• Sun Cobalt RaQ4 3001R
• Sun Cobalt RaQ4 Japanese RAID 3100R-ja
• Sun Cobalt RaQ4 RAID 3100R
• Sun LX50
• Trustix Secure Enterprise Linux 2.0.0
• Trustix Secure Linux 1.1.0
• Trustix Secure Linux 1.2.0
• Trustix Secure Linux 1.5.0
• Trustix Secure Linux 2.0.0
• Trustix Secure Linux 2.1.0
• Trustix Secure Linux 2.2.0
• Trustix Secure Linux 3.0.0
• Turbolinux Home
• Turbolinux Turbolinux 10 F...
• Turbolinux Turbolinux Desktop 10.0.0
• Turbolinux Turbolinux Server 10.0.0
• Turbolinux Turbolinux Server 7.0.0
• Turbolinux Turbolinux Server 8.0.0
• Turbolinux Turbolinux Workstation 7.0.0
• Turbolinux Turbolinux Workstation 8.0.0
• Ubuntu Ubuntu Linux 4.1.0 ia32
• Ubuntu Ubuntu Linux 4.1.0 ia64
• Ubuntu Ubuntu Linux 4.1.0 ppc
• Ubuntu Ubuntu Linux 5.0.0 4 amd64
• Ubuntu Ubuntu Linux 5.0.0 4 i386
• Ubuntu Ubuntu Linux 5.0.0 4 powerpc
• Ubuntu Ubuntu Linux 5.10.0 amd64
• Ubuntu Ubuntu Linux 5.10.0 i386
• Ubuntu Ubuntu Linux 5.10.0 powerpc
• Ubuntu Ubuntu Linux 5.10.0 sparc
• Ubuntu Ubuntu Linux 6.06 LTS amd64
• Ubuntu Ubuntu Linux 6.06 LTS i386
• Ubuntu Ubuntu Linux 6.06 LTS powerpc
• Ubuntu Ubuntu Linux 6.06 LTS sparc

References:

• Avaya: ASA-2006-223 - php security update (RHSA-2006-0688)
• Avaya: ASA-2006-234 - php security update (RHSA-2006-0708)
• CVE: CVE-2006-4812
• Hardened PHP Project: Advisory 09/2006: PHP unserialize() Array Creation Integer Overflow
• OpenPKG: OpenPKG-SA-2006.023-php
• PHP: PHP Homepage
• PHP: revision 1.162, Sat Sep 30 17:17:31 2006 UTC
• Red Hat: Bugzilla Bug 209409: CVE-2006-4812 PHP ecalloc integer overflow
• Red Hat: RHSA-2006:0688-13 - php security update
• Red Hat: RHSA-2006:0708-6 - php security update
• RedHat: [SECURITY] Fedora Core 5 Update: php-5.1.6-1.1

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.