oss-sec mailing list archives
Re: Re: CVE request (PHP 5.3.x getSymbol() DoS; CERT VU#479900)
From: Tomas Hoger <thoger () redhat com>
Date: Wed, 8 Dec 2010 12:22:25 +0100
On Tue, 7 Dec 2010 22:43:17 +0000 (UTC) Maksymilian Arciemowicz wrote:
Btw, setSymbol() is affected too, and does not seem to be addressed in r305571. In both cases, it's PHP exposing ICU bug.setSymbol() give only DoS with strlen(NULL) [CWE-170].
I don't see that with ICU 4.2.1 and PHP 5.3.3. Please clarify if you see some different results with different ICU or PHP. Or maybe using different way to call setSymbol(). I see the same incorrect cast and out of bounds array indexing as with getSymbol, with setSymbol doing writes and hence possibly more likely to be useful for script author attacks (safe mode breaks). Even ignoring possibly higher impact for setSymbol, it still has at least the impact described in VU#479900 and does not seem to have PHP fix/workaround.
getSymbol() Integer overflow which causes heap overflow.
Not CWE-680 kind of stuff though, more of CWE-129 caused by CWE-197/CWE-195. -- Tomas Hoger / Red Hat Security Response Team
Current thread:
- CVE request (PHP 5.3.x getSymbol() DoS; CERT VU#479900) Vincent Danen (Dec 06)
- Re: CVE request (PHP 5.3.x getSymbol() DoS; CERT VU#479900) Steven M. Christey (Dec 06)
- Re: CVE request (PHP 5.3.x getSymbol() DoS; CERT VU#479900) Vincent Danen (Dec 06)
- Re: CVE request (PHP 5.3.x getSymbol() DoS; CERT VU#479900) Tomas Hoger (Dec 07)
- Re: CVE request (PHP 5.3.x getSymbol() DoS; CERT VU#479900) Maksymilian Arciemowicz (Dec 07)
- Re: Re: CVE request (PHP 5.3.x getSymbol() DoS; CERT VU#479900) Tomas Hoger (Dec 08)
- Re: CVE request (PHP 5.3.x getSymbol() DoS; CERT VU#479900) Maksymilian Arciemowicz (Dec 08)
- Re: Re: CVE request (PHP 5.3.x getSymbol() DoS; CERT VU#479900) Tomas Hoger (Dec 08)
- Re: CVE request (PHP 5.3.x getSymbol() DoS; CERT VU#479900) Maksymilian Arciemowicz (Dec 07)
- Re: CVE request (PHP 5.3.x getSymbol() DoS; CERT VU#479900) Steven M. Christey (Dec 06)
- Re: CVE request (PHP 5.3.x getSymbol() DoS; CERT VU#479900) Tomas Hoger (Dec 09)