Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 09 Jan 2015 04:02:41 +1100
From: Joshua Rogers <>
Subject: Re: CVE Request: PHP

On 08/01/15 22:11, Joshua Rogers wrote:

> CVE Request 2:
> Uninitalized Pointer Read in PHP core('fopen()')
> Bug report:
> Commit fix:
Not a valid security risk. In all cases of the 'vulnerable' function
being used, a specific case is not true, which means that it cannot be
>>                 if (!(stream = php_stream_open_wrapper(p + 10, mode,
>> options, opened_path))) {
>>                         efree(pathdup);
>>                         return NULL;
>>                 }
'stream' must be false when php_stream_apply_filter_list is called,
which for all cases in the PHP code, cannot be.

> CVE Request 3:
> Uninitalized Pointer Read in PHP core
> Bug report:
> Commit fix:
This is invalid too.
It requires, like the request #2, for 'stream' to be NULL.

>         for (key = php_strtok_r(tmp, ",", &lasts);
In this case, 'tmp' must be NULL for it to crash/be exploited.
But tmp is defined:
>         tmp = estrndup(new_value->val, new_value->len);
estrndup uses "emalloc", which like the other one from a few days ago
that I revoked, doesn't return NULL, but just crashes the program with
out-of-memory exit.

-- Joshua Rogers <>

Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ