Date: Wed, 8 Dec 2010 12:22:25 +0100 From: Tomas Hoger <thoger@...hat.com> To: oss-security@...ts.openwall.com Cc: cxib@...urityreason.com Subject: Re: Re: CVE request (PHP 5.3.x getSymbol() DoS; CERT VU#479900) On Tue, 7 Dec 2010 22:43:17 +0000 (UTC) Maksymilian Arciemowicz wrote: > > Btw, setSymbol() is affected too, and does not seem to be addressed > > in r305571. In both cases, it's PHP exposing ICU bug. > > setSymbol() give only DoS with strlen(NULL) [CWE-170]. I don't see that with ICU 4.2.1 and PHP 5.3.3. Please clarify if you see some different results with different ICU or PHP. Or maybe using different way to call setSymbol(). I see the same incorrect cast and out of bounds array indexing as with getSymbol, with setSymbol doing writes and hence possibly more likely to be useful for script author attacks (safe mode breaks). Even ignoring possibly higher impact for setSymbol, it still has at least the impact described in VU#479900 and does not seem to have PHP fix/workaround. > getSymbol() Integer overflow which causes heap overflow. Not CWE-680 kind of stuff though, more of CWE-129 caused by CWE-197/CWE-195. -- Tomas Hoger / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.