lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue Jun 28 09:02:38 2005 From: martin.pitt at canonical.com (Martin Pitt) Subject: PHP: Calendar Buffer Overflow Hi! FistFucker [2005-06-27 7:02 +0200]: >There are some nice sprintf()'s in "\ext\calendar\calendar.c": >'sprintf(date, "%i/%i/%i", month, day, year);' > >Example exploitation (4.3.11): > > ><?php > > JDToGregorian(999999999); > >?> Interesting that this works on Windows. I took a look at the code: PHP_FUNCTION(jdtogregorian) { pval **julday; int year, month, day; char date[10]; [...] sprintf(date, "%i/%i/%i", month, day, year); RETURN_STRING(date, 1); } The biggest string length I could get is 15 characters. That would merely overflow into the "year, month, day" integers, but not even close to the function's return address. Of course that is a bug that should be fixed in CVS head, but I think it's not exploitable, so it does not require a security update as far as I can see. Thanks for the report, Martin -- Martin Pitt http://www.piware.de Ubuntu Developer http://www.ubuntu.com Debian Developer http://www.debian.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050628/676c77e7/attachment.bin
Powered by blists - more mailing lists