{
  "threat_severity" : "Low",
  "public_date" : "2014-12-17T00:00:00Z",
  "bugzilla" : {
    "description" : "php: out of bounds read when parsing a crafted .php file",
    "id" : "1178736",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1178736"
  },
  "cvss" : {
    "cvss_base_score" : "2.1",
    "cvss_scoring_vector" : "AV:L/AC:L/Au:N/C:N/I:N/A:P",
    "status" : "verified"
  },
  "cwe" : "CWE-125",
  "details" : [ "sapi/cgi/cgi_main.c in the CGI component in PHP through 5.4.36, 5.5.x through 5.5.20, and 5.6.x through 5.6.4, when mmap is used to read a .php file, does not properly consider the mapping's length during processing of an invalid file that begins with a # character and lacks a newline character, which causes an out-of-bounds read and might (1) allow remote attackers to obtain sensitive information from php-cgi process memory by leveraging the ability to upload a .php file or (2) trigger unexpected code execution if a valid PHP script is present in memory locations adjacent to the mapping.", "A flaw was found in the way PHP handled malformed source files when running in CGI mode. A specially crafted PHP file could cause PHP CGI to crash." ],
  "statement" : "This flaw requires that a user is able to upload arbitrary PHP code on the system, be a local user able to execute arbitrary PHP code, or have the ability to modify existing PHP code on the system.  It also requires that the modified/arbitrary PHP code is executed with the php-cgi program, and the net result is that php-cgi crashes, effectively resulting in a self-denial of service.\nRed Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.",
  "affected_release" : [ {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6",
    "release_date" : "2015-06-04T00:00:00Z",
    "advisory" : "RHSA-2015:1053",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el6",
    "package" : "php55-0:2.0-1.el6"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6",
    "release_date" : "2015-06-04T00:00:00Z",
    "advisory" : "RHSA-2015:1053",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el6",
    "package" : "php55-php-0:5.5.21-2.el6"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6",
    "release_date" : "2015-06-04T00:00:00Z",
    "advisory" : "RHSA-2015:1066",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el6",
    "package" : "php54-0:2.0-1.el6"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6",
    "release_date" : "2015-06-04T00:00:00Z",
    "advisory" : "RHSA-2015:1066",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el6",
    "package" : "php54-php-0:5.4.40-1.el6"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6",
    "release_date" : "2015-06-04T00:00:00Z",
    "advisory" : "RHSA-2015:1066",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el6",
    "package" : "php54-php-pecl-zendopcache-0:7.0.4-3.el6"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6.5 EUS",
    "release_date" : "2015-06-04T00:00:00Z",
    "advisory" : "RHSA-2015:1053",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el6",
    "package" : "php55-0:2.0-1.el6"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6.5 EUS",
    "release_date" : "2015-06-04T00:00:00Z",
    "advisory" : "RHSA-2015:1053",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el6",
    "package" : "php55-php-0:5.5.21-2.el6"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6.5 EUS",
    "release_date" : "2015-06-04T00:00:00Z",
    "advisory" : "RHSA-2015:1066",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el6",
    "package" : "php54-0:2.0-1.el6"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6.5 EUS",
    "release_date" : "2015-06-04T00:00:00Z",
    "advisory" : "RHSA-2015:1066",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el6",
    "package" : "php54-php-0:5.4.40-1.el6"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6.5 EUS",
    "release_date" : "2015-06-04T00:00:00Z",
    "advisory" : "RHSA-2015:1066",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el6",
    "package" : "php54-php-pecl-zendopcache-0:7.0.4-3.el6"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS",
    "release_date" : "2015-06-04T00:00:00Z",
    "advisory" : "RHSA-2015:1053",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el6",
    "package" : "php55-0:2.0-1.el6"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS",
    "release_date" : "2015-06-04T00:00:00Z",
    "advisory" : "RHSA-2015:1053",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el6",
    "package" : "php55-php-0:5.5.21-2.el6"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS",
    "release_date" : "2015-06-04T00:00:00Z",
    "advisory" : "RHSA-2015:1066",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el6",
    "package" : "php54-0:2.0-1.el6"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS",
    "release_date" : "2015-06-04T00:00:00Z",
    "advisory" : "RHSA-2015:1066",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el6",
    "package" : "php54-php-0:5.4.40-1.el6"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS",
    "release_date" : "2015-06-04T00:00:00Z",
    "advisory" : "RHSA-2015:1066",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el6",
    "package" : "php54-php-pecl-zendopcache-0:7.0.4-3.el6"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7",
    "release_date" : "2015-06-04T00:00:00Z",
    "advisory" : "RHSA-2015:1053",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el7",
    "package" : "php55-0:2.0-1.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7",
    "release_date" : "2015-06-04T00:00:00Z",
    "advisory" : "RHSA-2015:1053",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el7",
    "package" : "php55-php-0:5.5.21-2.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7",
    "release_date" : "2015-06-04T00:00:00Z",
    "advisory" : "RHSA-2015:1066",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el7",
    "package" : "php54-0:2.0-1.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7",
    "release_date" : "2015-06-04T00:00:00Z",
    "advisory" : "RHSA-2015:1066",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el7",
    "package" : "php54-php-0:5.4.40-1.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7",
    "release_date" : "2015-06-04T00:00:00Z",
    "advisory" : "RHSA-2015:1066",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el7",
    "package" : "php54-php-pecl-zendopcache-0:7.0.4-3.el7"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 5",
    "fix_state" : "Will not fix",
    "package_name" : "php",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 5",
    "fix_state" : "Will not fix",
    "package_name" : "php53",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Will not fix",
    "package_name" : "php",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Will not fix",
    "package_name" : "php",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat OpenShift Enterprise 2",
    "fix_state" : "Will not fix",
    "package_name" : "php",
    "cpe" : "cpe:/a:redhat:openshift:2"
  }, {
    "product_name" : "Red Hat Software Collections",
    "fix_state" : "Affected",
    "package_name" : "php54-php",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:1"
  }, {
    "product_name" : "Red Hat Software Collections",
    "fix_state" : "Affected",
    "package_name" : "php55-php",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:1"
  }, {
    "product_name" : "Red Hat Software Collections",
    "fix_state" : "Not affected",
    "package_name" : "rh-php56-php",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2014-9427\nhttps://nvd.nist.gov/vuln/detail/CVE-2014-9427" ],
  "name" : "CVE-2014-9427",
  "csaw" : false
}