oss-sec mailing list archives

Re: CVE request: format-string vulnerability in PHP Phar extension

From: Josh Bressers <bressers () redhat com>
Date: Mon, 14 Mar 2011 16:54:22 -0400 (EDT)

Please use CVE-2011-1153 for this.

Thanks.

-- 
    JB



----- Original Message -----

Hi,
I just found several format-string vulnerability in PHP Phar
extension, a
bug has been filed in the PHP bugtracker (private):
http://bugs.php.net/bug.php?id=54247
On error several class methods passes the supplied argument to
zend_throw_exception_ex()
which prints a formatted error message using such value as the
formatter
string.

$ sapi/cli/php ../bug.php "%08x.%08x.%08x.%08x.%08x"
PHP Fatal error: Uncaught exception 'PharException' with message
'unable to
open phar for reading "00000008.00000000.bf95c204.0963e050.00000014"'
in
/home/felipe/dev/bug.php:4

Thanks.

--
Regards,
Felipe Pena

Current thread:

CVE request: format-string vulnerability in PHP Phar extension Felipe Pena (Mar 14)
- Re: CVE request: format-string vulnerability in PHP Phar extension Felipe Pena (Mar 14)
- Re: CVE request: format-string vulnerability in PHP Phar extension Josh Bressers (Mar 14)