Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 12 Mar 2010 12:58:56 -0600
From: Raphael Geissert <>
Subject: CVE-2010-0397: NULL pointer dereference in PHP's xmlrpc extension


At it has been reported a NULL pointer 
dereference in the xmlrpc extension, in a call to estrdup[1]. This bug can at 
least be used to perform DoS attacks.

Looking at the code, I can see multiple, similarly affected, calls.

For tracking purposes (and hoping nobody else has run and assigned one 
themselves) I've assigned CVE-2010-0397.

Z_STRVAL_P(method_name_out) = estrdup(XMLRPC_RequestGetMethodName(response));

Kind regards,
Raphael Geissert - Debian Developer -

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ