CVE Request: PHP 5.3.3, libmbfl, mb_strcut

[Pierre Joye <pierre.php () gmail com>]

hi,

Mateusz reported the following issue earlier today.

Updated patch, tests pass now: http://pastie.org/1279682

Information disclosure flaw. PHP 5.2 is not affected (newer version of libmbfl).

PHP 5.3 and trunk uses libmbfl 1.1.0.


---------- Forwarded message ----------
From: Mateusz Kocielski <m.kocielski () gmail com>
Date: Sun, Nov 7, 2010 at 6:47 PM
Subject: mb_strcut
To: security () php net


Hello,

 I've found flaw in the mb_strcut function, php doesn't the length
parameter passed to the function in all possible cases.

 Simple exploitation:

<?php
$b = "bbbbbbbbbbb";
str_repeat("THIS IS A SECRET MESSAGE, ISN'T IT?", 1);
$var3 = mb_strcut($b, 0, 1000);
echo $var3;
?>

Pierre suggested the following patch:
http://pastie.org/pastes/1279428/text . I've tested it with your test
suite, one of the mbstring related test cases failed: Bug #49354
(mb_strcut() cuts wrong length when offset is in the middle of a
multibyte character) [ext/mbstring/tests/bug49354.phpt]


-- 
Pierre

@pierrejoye | http://blog.thepimp.net | http://www.libgd.org