[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 8 Nov 2010 15:58:23 -0500 (EST)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Cc: coley <coley@...re.org>
Subject: Re: CVE Request: PHP 5.3.3, libmbfl, mb_strcut
Please use CVE-2010-4156
Thanks.
--
JB
----- "Pierre Joye" <pierre.php@...il.com> wrote:
> hi,
>
> Mateusz reported the following issue earlier today.
>
> Updated patch, tests pass now: http://pastie.org/1279682
>
> Information disclosure flaw. PHP 5.2 is not affected (newer version of
> libmbfl).
>
> PHP 5.3 and trunk uses libmbfl 1.1.0.
>
>
> ---------- Forwarded message ----------
> From: Mateusz Kocielski <m.kocielski@...il.com>
> Date: Sun, Nov 7, 2010 at 6:47 PM
> Subject: mb_strcut
> To: security@....net
>
>
> Hello,
>
> I've found flaw in the mb_strcut function, php doesn't the length
> parameter passed to the function in all possible cases.
>
> Simple exploitation:
>
> <?php
> $b = "bbbbbbbbbbb";
> str_repeat("THIS IS A SECRET MESSAGE, ISN'T IT?", 1);
> $var3 = mb_strcut($b, 0, 1000);
> echo $var3;
> ?>
>
> Pierre suggested the following patch:
> http://pastie.org/pastes/1279428/text . I've tested it with your test
> suite, one of the mbstring related test cases failed: Bug #49354
> (mb_strcut() cuts wrong length when offset is in the middle of a
> multibyte character) [ext/mbstring/tests/bug49354.phpt]
>
>
> --
> Pierre
>
> @pierrejoye | http://blog.thepimp.net | http://www.libgd.org
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Powered by Openwall GNU/*/Linux -
Powered by OpenVZ
