oss-sec mailing list archives

Re: CVE Request -- PHP strrchr() Interruption Information Leak Vulnerability

From: Josh Bressers <bressers () redhat com>
Date: Fri, 2 Jul 2010 14:47:31 -0400 (EDT)


----- "Péter Veres" <moltesalt () gmail com> wrote:

2010/6/30 Josh Bressers <bressers () redhat com>


----- "Péter Veres" <moltesalt () gmail com> wrote:

Hi Steve,

PHP’s strrchr() function can be interrupted and used for

information

leakage due to call time pass by reference.

Could you allocate a CVE id for this issue?


Do you have some sort of reference for this? I'm not finding

anything in

the
usual places.

I'll assign an ID once I have more information.



Fixed in the upstream.
5.3.3 RC1 not affected.
5.2 branch vulnerable.

http://svn.php.net/viewvc?view=revision&revision=300916


Please use CVE-2010-2484

Thanks.

-- 
    JB

Re: CVE Request -- PHP strrchr() Interruption Information Leak Vulnerability Péter Veres (Jul 01)
- Re: CVE Request -- PHP strrchr() Interruption Information Leak Vulnerability Josh Bressers (Jul 02)