Upstream bug at $URL. From http://www.openwall.com/lists/oss-security/2011/03/13/3: On 03/13/2011 10:00 PM, Felipe Pena wrote: > Hi, > > I just found an use-after-free in PHP's substr_replace() function caused by > passing the same variable multiple times to the function, which makes the > PHP to use the same pointer in three variables inside the function, so when > the pointer is changed by a type conversion inside the function, it invalids > the other variables. > > The PHP security team has seen noticed, and a bug already was filed in the > bugtracker (http://bugs.php.net/bug.php?id=54238 [private]) > > $ sapi/cli/php ../bug.php > array(1) { > [0]=> > string(5) "0Ȅ y" > } > array(1) { > [0]=> > string(1) "0" > }
CVE-2011-1148 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1148): Use-after-free vulnerability in the substr_replace function in PHP 5.3.6 and earlier allows context-dependent attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact by using the same variable for multiple arguments.
Security Enhancements and Fixes in PHP 5.3.7: [..] Fixed bug #54238 (use-after-free in substr_replace()). (CVE-2011-1148) Please add glsa request.
Thanks, everyone. Added to existing request.
This issue was resolved and addressed in GLSA 201110-06 at http://security.gentoo.org/glsa/glsa-201110-06.xml by GLSA coordinator Tobias Heinlein (keytoaster).
