[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 18 Mar 2011 10:28:17 -0600
From: Vincent Danen <vdanen@...hat.com>
To: oss-security@...ts.openwall.com
Cc: Oden Eriksson <oeriksson@...driva.com>
Subject: Re: CVE request: PHP substr_replace() use-after-free
* [2011-03-13 15:41:55 -0300] Felipe Pena wrote:
>2011/3/13 Oden Eriksson <oeriksson@...driva.com>
>
>> söndagen den 13 mars 2011 15.00.10 skrev Felipe Pena:
>> > Hi,
>> >
>> > I just found an use-after-free in PHP's substr_replace() function caused
>> by
>> > passing the same variable multiple times to the function, which makes the
>> > PHP to use the same pointer in three variables inside the function, so
>> when
>> > the pointer is changed by a type conversion inside the function, it
>> > invalids the other variables.
>> >
>> > The PHP security team has seen noticed, and a bug already was filed in
>> the
>> > bugtracker (http://bugs.php.net/bug.php?id=54238 [private])
>> >
>> > $ sapi/cli/php ../bug.php
>> > array(1) {
>> > [0]=>
>> > string(5) "0?? y"
>> > }
>> > array(1) {
>> > [0]=>
>> > string(1) "0"
>> > }
>> >
>> >
>> > Thanks.
>>
>> It seems only 5.2 is affected because I couldn't reproduce it on 5.3. Or?
>>
>>
>It affects 5.2, 5.3 and even trunk. I can reproduce it in all the branches.
Do you have a reproducer for this issue that you could share? The bug
is still private.
Thanks.
--
Vincent Danen / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Powered by Openwall GNU/*/Linux -
Powered by OpenVZ
