Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 9 Dec 2010 15:38:00 +0100
From: Pierre Joye <>
Subject: Re: Re: NULL byte poisoning fix in php 5.3.4+

On Thu, Dec 9, 2010 at 3:34 PM, Steven M. Christey
<> wrote:
> On Thu, 9 Dec 2010, Pierre Joye wrote:
>> We are about to release 5.2.15 and 5.3.4, can anyone please get an id
>> for this issue?
> I just assigned CVE-2006-7243 to the issue, i.e.
> NULL injection in file_exists() *only*.
> However, as already stated, the issue of NULL byte injection with PHP dates
> back to 1999 or so (ouch... I remember that).  If PHP is addressing NULL
> byte injection beyond just file_exists(), then that may need a separate CVE.

We fixed it for all file functions. See the link to the commit for
more details about which codes have been changed. Do we need a CVE for
every function? I hope not :)


@pierrejoye | |

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ