Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 16 Jul 2015 01:24:02 -0500
From: Brian Carpenter <>
Subject: CVE Request: use after free in PHP 5.6 and 7 (possibly others)

Bug Report:

Fixed in PHP 5.6:;a=commitdiff;h=f57cb13c566613eec0e1c2f6d96d18565436a9b7

Fixed in 7:;a=commit;h=0af07333520f65def3a72f31effa38c907e962f9

This bug may also affect PHP 5.0.4, 5.0.5, 5.1.0-5.1.6, 5.4.0-5.5.26 (based
on responses), triggered by this unminimized test case which
wasn't included in the original bug report:


class wpq {
    private $unrenced;

    public function __get($name) {
        return $this;
 function ret_assoc() {
    return array('Roo' => 'bar');

$wpq = new wpq;
$wpq->interesting =& ret_assoc();
$x +@...q->interesting;
printf("%s\n", $x);


Brian 'geeknik' Carpenter

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.