[php-maint] Bug#365312: CVE-2006-1990/CVE-2006-1991: Security vulnerabilities in php

Stefan Fritsch sf at sfritsch.de
Sat Apr 29 06:38:15 UTC 2006


Package: php5
Version: 5.1.2-1
Severity: grave

Three security vulnerabilites have been found in php.
See http://www.infigo.hr/en/in_focus/advisories/INFIGO-2006-04-02

i. PHP4/PHP5 wordwrap() buffer overflow 
CVE-2006-1990:
Integer overflow in the wordwrap function in string.c in PHP 4.4.2 and
5.1.2 might allow context-dependent attackers to execute arbitrary
code via certain long arguments that cause a small buffer to be
allocated, which triggers a heap-based buffer overflow in a memcpy
function call, a different vulnerability than CVE-2002-1396.

ii. PHP4/PHP5 array_fill() DoS condition

Function array_fill() fills an array with 'num' entries with the value 
of the 'value' parameter keys starting at the 'start_index' 
parameter. It is possible to set a large 'num' value (counter for 
while() loop) that will consume whole system memory in a few seconds 
and make system unusable. It is important to notice that large memory 
consumption is possible only on systems that have high value 
of 'memory_limit' set in php.ini.

iii. PHP5 substr_compare() DoS condition
CVE-2006-1991
The substr_compare function in string.c in PHP 4.4.2 and 5.1.2 allows 
context-dependent attackers to cause a denial of service (memory 
access violation) via an out-of-bounds offset argument.




More information about the pkg-php-maint mailing list