Summary: | PHP openlog() Buffer Overflow Vulnerability | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | schaedpq |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED INVALID | ||
Severity: | normal | CC: | m.debruijne, php-bugs |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://http://www.securityfocus.com/bid/7210/ | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
schaedpq
2004-03-28 04:03:40 UTC
PHP herd -- could you review/comment? Looking now ... Here's what I've looked at so far: * The syslog.c source code file hasn't been touched since January 2004, and no fixes for any bug like this have been committed since php-4.3.1 was released. * I can't reproduce the buffer overflow issue. I've loaded a copy of php-4.3.4 with debugging statements, and I can't see any problem. And I can't spot an obvious problem from reviewing the code either. The key part of the openlog() function comes down to a call to estrndup(): ZEND_API char *_estrndup(const char *s, uint length ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC) { char *p; HANDLE_BLOCK_INTERRUPTIONS(); p = (char *) _emalloc(length+1 ZEND_FILE_LINE_RELAY_CC ZEND_FILE_LINE_ORIG_RELAY_CC); if (!p) { HANDLE_UNBLOCK_INTERRUPTIONS(); return (char *)NULL; } HANDLE_UNBLOCK_INTERRUPTIONS(); memcpy(p, s, length); p[length] = 0; return p; } This function is used throughout PHP for duplicating strings. If openlog() was vulnerable, then there would be many other exploits also possible. If you have code that reproduces this fault, please add it to this bug. The script included in one of the links below does not show up this security hole. Best regards, Stu No response from submitter in ~1 week. Since we were unable to reproduce this bug locally and have not had further contact from the original submitter, closing as invalid. |