Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  news  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list] 
Date: Fri, 8 Aug 2008 15:01:44 +0100
From: Joe Orton <jorton@...hat.com>
To: oss-security@...ts.openwall.com
Cc: jorton@...hat.com
Subject: Re: CVE request: php-5.2.6 overflow issues

On Fri, Aug 08, 2008 at 03:31:45PM +0200, Christian Hoffmann wrote:
>   * Overflow in ext/gd's imageloadfont() function [1] [2] [3]
>   * Overflow in php's internal memnstr() function which is exposed
>     to userspace as "explode()" [1] [2] [4] [5]
>
> As those functions might take user-supplied data in certain webapps  
> (which is a valid use case at least in case of explode()), those issues  
> should probably expected to be remotely exploitable.

The explode() bug could only be triggered if a script passed a delimiter 
from untrusted script input without sanitizing/checking it first, which 
is fairly pathological behaviour.  I would call that a script bug, not 
an issue in the PHP interpreter.

e.g looking through the first ~80 hits from:

http://www.google.com/codesearch?hl=en&q=+lang:php+explode\+*\(&start=70&sa=N

as expected, every explode() call uses a constant/trusted delimiter.

Regards, Joe (please CC me on replies)

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux