Date: Fri, 18 Jan 2013 10:59:17 -0500 From: Marc Deslauriers <marc.deslauriers@...onical.com> To: oss-security@...ts.openwall.com CC: coley@...us.mitre.org Subject: CVE Request: PHP openssl_encrypt memory disclosure Hello, PHP 5.3.9 to 5.3.13 disclose arbitrary memory when an empty $data string is passed to openssl_encrypt. It was introduced with the following commit: http://git.php.net/?p=php-src.git;a=commitdiff;h=095cbc48a8f0090f3b0abc6155f2b61943c9eafb and was fixed in 5.3.14 with the following: http://git.php.net/?p=php-src.git;a=commitdiff;h=270a406ac94b5fc5cc9ef59fc61e3b4b95648a3e Bugs: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1099793 https://bugs.php.net/bug.php?id=61413 Could a CVE please be assigned to this issue? Thanks, Marc. -- Marc Deslauriers Ubuntu Security Engineer | http://www.ubuntu.com/ Canonical Ltd. | http://www.canonical.com/
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.