[php-maint] Bug#364781: php4: segfault in wordwrap() et al.
(INFIGO-2006-04-02)
Zoran Dzelajlija
jelly at srce.hr
Tue Apr 25 16:45:27 UTC 2006
Package: php4
Version: 4:4.3.10-16
Severity: normal
Tags:
Hi, I've just been forwarded this and tested it with sarge's apache1.3
module and php4-cli, and sid's php4-cli (4:4.4.2-1+b1). It seems that php4
is vulnerable to the wordwrap() heap overflow described here:
http://www.infigo.hr/en/in_focus/advisories/INFIGO-2006-04-02
Two other bugs are described in the advisory, one is a memory exhaustion bug
which at first sight looks like "works as designed", and the other is a php5
only bug which I haven't tested.
Even the wordwrap case looks unlikely to happen in a real app, if it needs
the extra-long break argument given in the PoC example
<?
$a = str_repeat ("A",438013);
$b = str_repeat ("B",951140);
wordwrap ($a,0,$b,0);
?>
Manual says:
string wordwrap ( string str [, int width [, string break [, bool cut]]] )
Returns a string with str wrapped at the column number specified by the
optional width parameter. The line is broken using the (optional) break
parameter.
Anyway, I don't have an idea if any of these are exploitable, but I'm
tempted to add a security tag on it just in case.
Regards,
Zoran
-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.14.7
Locale: LANG=C, LC_CTYPE=hr_HR (charmap=ISO-8859-2)
Versions of packages php4 depends on:
ii libapache-mod-php4 4:4.3.10-16 server-side, HTML-embedded scripti
ii libapache2-mod-php4 4:4.3.10-16 server-side, HTML-embedded scripti
ii php4-common 4:4.3.10-16 Common files for packages built fr
-- debconf information excluded
More information about the pkg-php-maint
mailing list