[php-maint] Bug#365312: CVE-2006-1990/CVE-2006-1991: Security
vulnerabilities in php
Stefan Fritsch
sf at sfritsch.de
Sat Apr 29 06:38:15 UTC 2006
Package: php5
Version: 5.1.2-1
Severity: grave
Three security vulnerabilites have been found in php.
See http://www.infigo.hr/en/in_focus/advisories/INFIGO-2006-04-02
i. PHP4/PHP5 wordwrap() buffer overflow
CVE-2006-1990:
Integer overflow in the wordwrap function in string.c in PHP 4.4.2 and
5.1.2 might allow context-dependent attackers to execute arbitrary
code via certain long arguments that cause a small buffer to be
allocated, which triggers a heap-based buffer overflow in a memcpy
function call, a different vulnerability than CVE-2002-1396.
ii. PHP4/PHP5 array_fill() DoS condition
Function array_fill() fills an array with 'num' entries with the value
of the 'value' parameter keys starting at the 'start_index'
parameter. It is possible to set a large 'num' value (counter for
while() loop) that will consume whole system memory in a few seconds
and make system unusable. It is important to notice that large memory
consumption is possible only on systems that have high value
of 'memory_limit' set in php.ini.
iii. PHP5 substr_compare() DoS condition
CVE-2006-1991
The substr_compare function in string.c in PHP 4.4.2 and 5.1.2 allows
context-dependent attackers to cause a denial of service (memory
access violation) via an out-of-bounds offset argument.
More information about the pkg-php-maint
mailing list