Date: Mon, 18 May 2015 11:01:14 +0200 From: Andrea Palazzo <andrea.palazzo@...el.it> To: Stanislav Malyshev <smalyshev@...il.com>, cve-assign@...re.org CC: oss-security@...ts.openwall.com, security@....net Subject: Re: CVE Request + Advisory: PHP str_repeat() sign mismatch based memory corruption Hi Stas, while I agree on what you say about the huge memory allocation needed, I wouldn't say this requires the ability to run arbitrary code, controlling str_repeat() arguments it's enough to create a corrupted zval and injecting an eventual payload somewhere in memory (which, again, is unlikely but possible). About code execution, I haven't had the chance to focus on actual exploitation yet (I surely will in the near future), but as you can see from the original report (https://bugs.php.net/bug.php?id=69403), I pointed out several cases in which working on a so-crafted zval would lead to invalid memory access (with user controlled values as well), so I am pretty confident it is achievable. On 18/05/2015 10:35, Stanislav Malyshev wrote: > Hi! > >> Hi everyone, >> this is intended as CVE Request and advisory for >> https://bugs.php.net/bug.php?id=69403. > I do not think this requires a CVE as this needs specially crafted PHP > script (i.e. local access or ability to run arbitrary PHP code) and > memory settings allowing to allocate huge (>4G) values, which seems to > be unlikely to happen on a common production system. I am not sure how > remote code execution vector can be provided for this issue, if you have > an example, please clarify. > > Thanks,
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ