If you are one of the guys that read the PHP CVS commits you usually know about the security bugs months before the rest of the community and this is no news for you. During the last 24h the following fix was merged into the PHP CVS.
Corrected fix for CVE-2007-2872
This fixes the chunk_split() overflow (found by SEC-CONSULT) that was according to the PHP 5.2.3 release notes already fixed. The original fix was however not only broken but complete nonsense. If you can read C you will see that the integer overflow was not fixed in PHP 5.2.3 but simply moved into a separate line and an additional bogus if clause was added.
If you are one of the guys that read the PHP CVS commits you usually know about the security bugs months before the rest of the community and this is no news for you. During the last 24h the following fix was merged into the PHP CVS.
Corrected fix for CVE-2007-2872
This fixes the chunk_split() overflow (found by SEC-CONSULT) that was according to the PHP 5.2.3 release notes already fixed. The original fix was however not only broken but complete nonsense. If you can read C you will see that the integer overflow was not fixed in PHP 5.2.3 but simply moved into a separate line and an additional bogus if clause was added.
You can test this yourself with the following code:
So my recent posting that was called marketing FUD is even more true.
PS: I wonder if SEC-CONSULT was the one that reported that the fix is no fix at all or if it was one of the linux distributors. The linux distributors and their regression tests are always a good way to check if bugs are fixed correctly.
PS2: What I failed to mention in the original blog entry is that the fix of the fix is still vulnerable to an overflow, because a float number is casted to an int for the allocation. In case of big int numbers this will result in not enough memory being allocated.
No comments:
Post a Comment