Date: Fri, 12 Mar 2010 12:58:56 -0600 From: Raphael Geissert <geissert@...ian.org> To: oss-security@...ts.openwall.com Cc: security@....net Subject: CVE-2010-0397: NULL pointer dereference in PHP's xmlrpc extension Hi, At http://bugs.debian.org/573573 it has been reported a NULL pointer dereference in the xmlrpc extension, in a call to estrdup. This bug can at least be used to perform DoS attacks. Looking at the code, I can see multiple, similarly affected, calls. For tracking purposes (and hoping nobody else has run and assigned one themselves) I've assigned CVE-2010-0397.  Z_STRVAL_P(method_name_out) = estrdup(XMLRPC_RequestGetMethodName(response)); Kind regards, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ