Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 09 Jan 2015 04:02:41 +1100
From: Joshua Rogers <>
Subject: Re: CVE Request: PHP

On 08/01/15 22:11, Joshua Rogers wrote:

> CVE Request 2:
> Uninitalized Pointer Read in PHP core('fopen()')
> Bug report:
> Commit fix:
Not a valid security risk. In all cases of the 'vulnerable' function
being used, a specific case is not true, which means that it cannot be
>>                 if (!(stream = php_stream_open_wrapper(p + 10, mode,
>> options, opened_path))) {
>>                         efree(pathdup);
>>                         return NULL;
>>                 }
'stream' must be false when php_stream_apply_filter_list is called,
which for all cases in the PHP code, cannot be.

> CVE Request 3:
> Uninitalized Pointer Read in PHP core
> Bug report:
> Commit fix:
This is invalid too.
It requires, like the request #2, for 'stream' to be NULL.

>         for (key = php_strtok_r(tmp, ",", &lasts);
In this case, 'tmp' must be NULL for it to crash/be exploited.
But tmp is defined:
>         tmp = estrndup(new_value->val, new_value->len);
estrndup uses "emalloc", which like the other one from a few days ago
that I revoked, doesn't return NULL, but just crashes the program with
out-of-memory exit.

-- Joshua Rogers <>

Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.