| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20050628080228.GA8420@piware.de>
Date: Tue Jun 28 09:02:38 2005
From: martin.pitt at canonical.com (Martin Pitt)
Subject: PHP: Calendar Buffer Overflow
Hi!
FistFucker [2005-06-27 7:02 +0200]:
>There are some nice sprintf()'s in "\ext\calendar\calendar.c":
>'sprintf(date, "%i/%i/%i", month, day, year);'
>
>Example exploitation (4.3.11):
>
>
><?php
>
> JDToGregorian(999999999);
>
>?>
Interesting that this works on Windows. I took a look at the code:
PHP_FUNCTION(jdtogregorian)
{
pval **julday;
int year, month, day;
char date[10];
[...]
sprintf(date, "%i/%i/%i", month, day, year);
RETURN_STRING(date, 1);
}
The biggest string length I could get is 15 characters. That would
merely overflow into the "year, month, day" integers, but not even
close to the function's return address.
Of course that is a bug that should be fixed in CVS head, but I think
it's not exploitable, so it does not require a security update as far
as I can see.
Thanks for the report,
Martin
--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050628/676c77e7/attachment.bin
Powered by blists - more mailing lists