[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4D7CE261.50002@redhat.com>
Date: Sun, 13 Mar 2011 23:27:29 +0800
From: Eugene Teo <eugene@...hat.com>
To: oss-security@...ts.openwall.com
CC: Felipe Pena <felipensp@...il.com>
Subject: Re: CVE request: PHP substr_replace() use-after-free
On 03/13/2011 10:00 PM, Felipe Pena wrote:
> Hi,
>
> I just found an use-after-free in PHP's substr_replace() function caused by
> passing the same variable multiple times to the function, which makes the
> PHP to use the same pointer in three variables inside the function, so when
> the pointer is changed by a type conversion inside the function, it invalids
> the other variables.
>
> The PHP security team has seen noticed, and a bug already was filed in the
> bugtracker (http://bugs.php.net/bug.php?id=54238 [private])
>
> $ sapi/cli/php ../bug.php
> array(1) {
> [0]=>
> string(5) "0Ȅ y"
> }
> array(1) {
> [0]=>
> string(1) "0"
> }
Please use CVE-2011-1148.
--
main(i) { putchar(182623909 >> (i-1) * 5&31|!!(i<7)<<6) && main(++i); }
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
