lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue Jun 28 09:02:38 2005
From: martin.pitt at canonical.com (Martin Pitt)
Subject: PHP: Calendar Buffer Overflow

Hi!

FistFucker [2005-06-27  7:02 +0200]:
>There are some nice sprintf()'s in "\ext\calendar\calendar.c":
>'sprintf(date, "%i/%i/%i", month, day, year);'
>
>Example exploitation (4.3.11):
>
>
><?php
>
> JDToGregorian(999999999);
>
>?>

Interesting that this works on Windows. I took a look at the code:

PHP_FUNCTION(jdtogregorian)
{
    pval **julday;
    int year, month, day;
    char date[10];
    [...]
    sprintf(date, "%i/%i/%i", month, day, year);

    RETURN_STRING(date, 1);
}

The biggest string length I could get is 15 characters. That would
merely overflow into the "year, month, day" integers, but not even
close to the function's return address. 

Of course that is a bug that should be fixed in CVS head, but I think
it's not exploitable, so it does not require a security update as far
as I can see.

Thanks for the report,

Martin
-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050628/676c77e7/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ