Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <AANLkTimvQdK0dTDBVowuPo-FtA6mDj=QZ3+45AK7fQ9A@mail.gmail.com>
Date: Sun, 13 Mar 2011 15:41:55 -0300
From: Felipe Pena <felipensp@...il.com>
To: oss-security@...ts.openwall.com
Cc: Oden Eriksson <oeriksson@...driva.com>
Subject: Re: CVE request: PHP substr_replace() use-after-free

2011/3/13 Oden Eriksson <oeriksson@...driva.com>

> söndagen den 13 mars 2011 15.00.10 skrev  Felipe Pena:
> > Hi,
> >
> > I just found an use-after-free in PHP's substr_replace() function caused
> by
> > passing the same variable multiple times to the function, which makes the
> > PHP to use the same pointer in three variables inside the function, so
> when
> > the pointer is changed by a type conversion inside the function, it
> > invalids the other variables.
> >
> > The PHP security team has seen noticed, and a bug already was filed in
> the
> > bugtracker (http://bugs.php.net/bug.php?id=54238 [private])
> >
> > $ sapi/cli/php ../bug.php
> > array(1) {
> > [0]=>
> > string(5) "0Ȅ y"
> > }
> > array(1) {
> > [0]=>
> > string(1) "0"
> > }
> >
> >
> > Thanks.
>
> It seems only 5.2 is affected because I couldn't reproduce it on 5.3. Or?
>
>
It affects 5.2, 5.3 and even trunk. I can reproduce it in all the branches.

-- 
Regards,
Felipe Pena

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.