Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 8 Dec 2010 12:22:25 +0100
From: Tomas Hoger <>
Subject: Re: Re: CVE request (PHP 5.3.x getSymbol() DoS; CERT

On Tue, 7 Dec 2010 22:43:17 +0000 (UTC) Maksymilian Arciemowicz wrote:

> > Btw, setSymbol() is affected too, and does not seem to be addressed
> > in r305571.  In both cases, it's PHP exposing ICU bug.
> setSymbol() give only DoS with strlen(NULL) [CWE-170].

I don't see that with ICU 4.2.1 and PHP 5.3.3.   Please clarify if you
see some different results with different ICU or PHP.  Or maybe using
different way to call setSymbol().  I see the same incorrect cast and
out of bounds array indexing as with getSymbol, with setSymbol doing
writes and hence possibly more likely to be useful for script author
attacks (safe mode breaks).  Even ignoring possibly higher impact for
setSymbol, it still has at least the impact described in VU#479900 and
does not seem to have PHP fix/workaround.

> getSymbol() Integer overflow which causes heap overflow.

Not CWE-680 kind of stuff though, more of CWE-129 caused by

Tomas Hoger / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.