Date: Thu, 28 Apr 2016 15:12:21 +0700 From: Luật Nguyễn <manhluat93.php@...il.com> To: oss-security@...ts.openwall.com Subject: [CVE Requests] PHP issues Hi folks, There are flaws which are various type (heap corruption, heap overflow, Uninitialized pointer) in PHP from previous version we might miss. 1. Heap corruption in tar/zip/phar parser https://bugs.php.net/bug.php?id=71354 2. Uninitialized pointer in phar_make_dirstream() https://bugs.php.net/bug.php?id=71331 3. Multiple Heap Overflow due to integer overflows | xml/filter_url/addcslashes https://bugs.php.net/bug.php?id=71637 Those 2nd, 3rd may let attackers with crafted PHAR file could potentially remote code execute without specific PHP script. Could we assign CVE for these ? :) References: http://php.net/ChangeLog-7.php http://php.net/ChangeLog-5.php Thank you && Regards. Luat.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ