![]() |
|
Date: Thu, 16 Jul 2015 01:24:02 -0500 From: Brian Carpenter <brian.carpenter@...il.com> To: oss-security@...ts.openwall.com Subject: CVE Request: use after free in PHP 5.6 and 7 (possibly others) Bug Report: https://bugs.php.net/bug.php?id=70083 Fixed in PHP 5.6: http://git.php.net/?p=php-src.git;a=commitdiff;h=f57cb13c566613eec0e1c2f6d96d18565436a9b7 Fixed in 7: http://git.php.net/?p=php-src.git;a=commit;h=0af07333520f65def3a72f31effa38c907e962f9 This bug may also affect PHP 5.0.4, 5.0.5, 5.1.0-5.1.6, 5.4.0-5.5.26 (based on 3v4l.org responses), triggered by this unminimized test case which wasn't included in the original bug report: <?php class wpq { private $unrenced; public function __get($name) { return $this; } } function ret_assoc() { return array('Roo' => 'bar'); } $wpq = new wpq; $wpq->interesting =& ret_assoc(); $x +@...q->interesting; printf("%s\n", $x); Regards, Brian 'geeknik' Carpenter https://twitter.com/geeknik
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.