CVE-2018-20783

In PHP before 5.6.39, 7.x before 7.0.33, 7.1.x before 7.1.25, and 7.2.x before 7.2.13, a buffer over-read in PHAR reading functions may allow an attacker to read allocated or unallocated memory past the actual data when trying to parse a .phar file. This is related to pharparsepharfile in ext/phar/phar.c.

Database specific

{
    "unresolved_ranges": [
        {
            "source": "CPE_FIELD",
            "extracted_events": [
                {
                    "last_affected": "42.3"
                }
            ],
            "cpe": "cpe:2.3:o:opensuse:leap:42.3:*:*:*:*:*:*:*"
        }
    ]
}

References

Affected packages

Git / github.com/php/php-src

Affected ranges

Type

GIT

Repo

https://github.com/php/php-src

Events

Introduced

Fixed

4653a1b260c9d640a292a9548e8def00edc5ca58

Introduced

60fffd296abce5fc071f3c173c25a2696cf683c6

Fixed

bf574c2b67a1f786e36cf679f41b758b973a82c4

Introduced

0221e9f827632942225586687a33cfd554860d5e

Fixed

e7e4f7dc83ab36dfab7b9df00fd1732caca94365

Introduced

8148cbb78841c8ec0759c0836e7f35dec799d300

Fixed

5223e555e0ef44c7202d8b1005ed9181a55b54a4

Database specific

{
    "source": "CPE_FIELD",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "5.6.39"
        },
        {
            "introduced": "7.0.0"
        },
        {
            "fixed": "7.0.33"
        },
        {
            "introduced": "7.1.0"
        },
        {
            "fixed": "7.1.25"
        },
        {
            "introduced": "7.2.0"
        },
        {
            "fixed": "7.2.13"
        }
    ],
    "cpe": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*"
}

Affected versions

Other

POST_64BIT_BRANCH_MERGE

POST_AST_MERGE

POST_PHP7_NSAPI_REMOVAL

POST_PHP7_REMOVALS

POST_PHPNG_MERGE

PRE_64BIT_BRANCH_MERGE

PRE_AST_MERGE

PRE_PHP7_EREG_MYSQL_REMOVALS

PRE_PHP7_NSAPI_REMOVAL

PRE_PHP7_REMOVALS

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-20783.json"