oss-sec mailing list archives
CVE Request: PHP openssl_encrypt memory disclosure
From: Marc Deslauriers <marc.deslauriers () canonical com>
Date: Fri, 18 Jan 2013 10:59:17 -0500
Hello, PHP 5.3.9 to 5.3.13 disclose arbitrary memory when an empty $data string is passed to openssl_encrypt. It was introduced with the following commit: http://git.php.net/?p=php-src.git;a=commitdiff;h=095cbc48a8f0090f3b0abc6155f2b61943c9eafb and was fixed in 5.3.14 with the following: http://git.php.net/?p=php-src.git;a=commitdiff;h=270a406ac94b5fc5cc9ef59fc61e3b4b95648a3e Bugs: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1099793 https://bugs.php.net/bug.php?id=61413 Could a CVE please be assigned to this issue? Thanks, Marc. -- Marc Deslauriers Ubuntu Security Engineer | http://www.ubuntu.com/ Canonical Ltd. | http://www.canonical.com/
Current thread:
- CVE Request: PHP openssl_encrypt memory disclosure Marc Deslauriers (Jan 18)
- Re: CVE Request: PHP openssl_encrypt memory disclosure Kurt Seifried (Jan 18)