oss-sec mailing list archives
Re: CVE request: php-5.2.6 overflow issues
From: Joe Orton <jorton () redhat com>
Date: Fri, 8 Aug 2008 15:01:44 +0100
On Fri, Aug 08, 2008 at 03:31:45PM +0200, Christian Hoffmann wrote:
* Overflow in ext/gd's imageloadfont() function [1] [2] [3] * Overflow in php's internal memnstr() function which is exposed to userspace as "explode()" [1] [2] [4] [5] As those functions might take user-supplied data in certain webapps (which is a valid use case at least in case of explode()), those issues should probably expected to be remotely exploitable.
The explode() bug could only be triggered if a script passed a delimiter from untrusted script input without sanitizing/checking it first, which is fairly pathological behaviour. I would call that a script bug, not an issue in the PHP interpreter. e.g looking through the first ~80 hits from: http://www.google.com/codesearch?hl=en&q=+lang:php+explode\+*\(&start=70&sa=N as expected, every explode() call uses a constant/trusted delimiter. Regards, Joe (please CC me on replies)
Current thread:
- CVE request: php-5.2.6 overflow issues Christian Hoffmann (Aug 08)
- Re: CVE request: php-5.2.6 overflow issues Joe Orton (Aug 08)
- Re: CVE request: php-5.2.6 overflow issues Christian Hoffmann (Aug 08)
- Re: CVE request: php-5.2.6 overflow issues Joe Orton (Aug 08)
- Re: CVE request: php-5.2.6 overflow issues Christian Hoffmann (Aug 08)
- Re: CVE request: php-5.2.6 overflow issues Steven M. Christey (Aug 12)
- Re: CVE request: php-5.2.6 overflow issues Christian Hoffmann (Aug 13)
- Re: CVE request: php-5.2.6 overflow issues Joe Orton (Aug 08)