oss-sec mailing list archives
Re: CVE Request: ZIP Integer Overflow leads to writing past heap boundary
From: Timo Warns <Timo.Warns () gmail com>
Date: Wed, 18 Mar 2015 20:13:07 +0100
On 2015-03-18, Emmanuel Law wrote:
found an integer overflow in PHP. When processing a malform zip file with many entires, it leads to a heap overflow. Affected Version <= PHP 5.6.6 Bug Report: https://bugs.php.net/bug.php?id=69253 Patch: https://github.com/php/php-src/commit/ef8fc4b53d92fbfcd8ef1abbd6f2f5fe2c4a11e5
This looks like it may also affect libzip upstream (http://hg.nih.at/libzip/file/fa78ab51417f/lib/zip_dirent.c) Was upstream (in copy) informed about the issue? Cheers, Timo
Current thread:
- CVE Request: ZIP Integer Overflow leads to writing past heap boundary Emmanuel Law (Mar 18)
- Re: CVE Request: ZIP Integer Overflow leads to writing past heap boundary cve-assign (Mar 18)
- Re: Re: CVE Request: ZIP Integer Overflow leads to writing past heap boundary Timo Warns (Mar 18)
- Re: Re: CVE Request: ZIP Integer Overflow leads to writing past heap boundary Emmanuel Law (Mar 18)
- Re: Re: CVE Request: ZIP Integer Overflow leads to writing past heap boundary Timo Warns (Mar 18)
- Re: CVE Request: ZIP Integer Overflow leads to writing past heap boundary Timo Warns (Mar 18)
- Re: CVE Request: ZIP Integer Overflow leads to writing past heap boundary Emmanuel Law (Mar 18)
- Re: CVE Request: ZIP Integer Overflow leads to writing past heap boundary Thomas Klausner (Mar 23)
- Re: CVE Request: ZIP Integer Overflow leads to writing past heap boundary Emmanuel Law (Mar 18)
- Re: CVE Request: ZIP Integer Overflow leads to writing past heap boundary cve-assign (Mar 18)