Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 8 Aug 2008 15:01:44 +0100
From: Joe Orton <jorton@...hat.com>
To: oss-security@...ts.openwall.com
Cc: jorton@...hat.com
Subject: Re: CVE request: php-5.2.6 overflow issues

On Fri, Aug 08, 2008 at 03:31:45PM +0200, Christian Hoffmann wrote:
>   * Overflow in ext/gd's imageloadfont() function [1] [2] [3]
>   * Overflow in php's internal memnstr() function which is exposed
>     to userspace as "explode()" [1] [2] [4] [5]
>
> As those functions might take user-supplied data in certain webapps  
> (which is a valid use case at least in case of explode()), those issues  
> should probably expected to be remotely exploitable.

The explode() bug could only be triggered if a script passed a delimiter 
from untrusted script input without sanitizing/checking it first, which 
is fairly pathological behaviour.  I would call that a script bug, not 
an issue in the PHP interpreter.

e.g looking through the first ~80 hits from:

http://www.google.com/codesearch?hl=en&q=+lang:php+explode\+*\(&start=70&sa=N

as expected, every explode() call uses a constant/trusted delimiter.

Regards, Joe (please CC me on replies)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.