oss-sec mailing list archives
CVE Request: PHP 5.3.3, libmbfl, mb_strcut
From: Pierre Joye <pierre.php () gmail com>
Date: Sun, 7 Nov 2010 21:22:22 +0100
hi, Mateusz reported the following issue earlier today. Updated patch, tests pass now: http://pastie.org/1279682 Information disclosure flaw. PHP 5.2 is not affected (newer version of libmbfl). PHP 5.3 and trunk uses libmbfl 1.1.0. ---------- Forwarded message ---------- From: Mateusz Kocielski <m.kocielski () gmail com> Date: Sun, Nov 7, 2010 at 6:47 PM Subject: mb_strcut To: security () php net Hello, I've found flaw in the mb_strcut function, php doesn't the length parameter passed to the function in all possible cases. Simple exploitation: <?php $b = "bbbbbbbbbbb"; str_repeat("THIS IS A SECRET MESSAGE, ISN'T IT?", 1); $var3 = mb_strcut($b, 0, 1000); echo $var3; ?> Pierre suggested the following patch: http://pastie.org/pastes/1279428/text . I've tested it with your test suite, one of the mbstring related test cases failed: Bug #49354 (mb_strcut() cuts wrong length when offset is in the middle of a multibyte character) [ext/mbstring/tests/bug49354.phpt] -- Pierre @pierrejoye | http://blog.thepimp.net | http://www.libgd.org
Current thread:
- CVE Request: PHP 5.3.3, libmbfl, mb_strcut Pierre Joye (Nov 07)
- Re: CVE Request: PHP 5.3.3, libmbfl, mb_strcut Josh Bressers (Nov 08)