oss-sec mailing list archives
Re: CVE request (PHP 5.3.x getSymbol() DoS; CERT VU#479900)
From: Maksymilian Arciemowicz <cxib () securityreason com>
Date: Tue, 7 Dec 2010 22:43:17 +0000 (UTC)
Tomas Hoger <thoger@...> writes:
Btw, setSymbol() is affected too, and does not seem to be addressed in r305571. In both cases, it's PHP exposing ICU bug.
setSymbol() give only DoS with strlen(NULL) [CWE-170]. getSymbol() Integer overflow which causes heap overflow. see also ZipArchive:extractTo() Possible CWE-170 strlen(NULL) PoC: <?php $zip = new ZipArchive; $zip->open('./dupa.zip'); var_dump($zip->extractTo('/tmp', array('', ''))); ?> Fix: http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/zip/php_zip.c?view=log
Current thread:
- CVE request (PHP 5.3.x getSymbol() DoS; CERT VU#479900) Vincent Danen (Dec 06)
- Re: CVE request (PHP 5.3.x getSymbol() DoS; CERT VU#479900) Steven M. Christey (Dec 06)
- Re: CVE request (PHP 5.3.x getSymbol() DoS; CERT VU#479900) Vincent Danen (Dec 06)
- Re: CVE request (PHP 5.3.x getSymbol() DoS; CERT VU#479900) Tomas Hoger (Dec 07)
- Re: CVE request (PHP 5.3.x getSymbol() DoS; CERT VU#479900) Maksymilian Arciemowicz (Dec 07)
- Re: Re: CVE request (PHP 5.3.x getSymbol() DoS; CERT VU#479900) Tomas Hoger (Dec 08)
- Re: CVE request (PHP 5.3.x getSymbol() DoS; CERT VU#479900) Maksymilian Arciemowicz (Dec 08)
- Re: Re: CVE request (PHP 5.3.x getSymbol() DoS; CERT VU#479900) Tomas Hoger (Dec 08)
- Re: CVE request (PHP 5.3.x getSymbol() DoS; CERT VU#479900) Maksymilian Arciemowicz (Dec 07)
- Re: CVE request (PHP 5.3.x getSymbol() DoS; CERT VU#479900) Steven M. Christey (Dec 06)
- Re: CVE request (PHP 5.3.x getSymbol() DoS; CERT VU#479900) Tomas Hoger (Dec 09)