oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE Request: PHP openssl_encrypt memory disclosure

From: Marc Deslauriers <marc.deslauriers () canonical com>
Date: Fri, 18 Jan 2013 10:59:17 -0500
Hello,

PHP 5.3.9 to 5.3.13 disclose arbitrary memory when an empty $data string
is passed to openssl_encrypt.

It was introduced with the following commit:
http://git.php.net/?p=php-src.git;a=commitdiff;h=095cbc48a8f0090f3b0abc6155f2b61943c9eafb

and was fixed in 5.3.14 with the following:
http://git.php.net/?p=php-src.git;a=commitdiff;h=270a406ac94b5fc5cc9ef59fc61e3b4b95648a3e

Bugs:

https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1099793
https://bugs.php.net/bug.php?id=61413

Could a CVE please be assigned to this issue?

Thanks,

Marc.


-- 
Marc Deslauriers
Ubuntu Security Engineer     | http://www.ubuntu.com/
Canonical Ltd.               | http://www.canonical.com/
Previous By Date Next
Previous By Thread Next

Current thread: