Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 358975 (CVE-2011-1148) - dev-lang/php: e-after-free in substr_replace() (CVE-2011-1148)
Summary: dev-lang/php: e-after-free in substr_replace() (CVE-2011-1148)
Alias: CVE-2011-1148
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [glsa]
Depends on:
Reported: 2011-03-15 05:04 UTC by Tim Sammut (RETIRED)
Modified: 2011-10-10 20:45 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2011-03-15 05:04:05 UTC
Upstream bug at $URL. From

On 03/13/2011 10:00 PM, Felipe Pena wrote:
> Hi,
> I just found an use-after-free in PHP's substr_replace() function caused by
> passing the same variable multiple times to the function, which makes the
> PHP to use the same pointer in three variables inside the function, so when
> the pointer is changed by a type conversion inside the function, it invalids
> the other variables.
> The PHP security team has seen noticed, and a bug already was filed in the
> bugtracker ( [private])
> $ sapi/cli/php ../bug.php
> array(1) {
> [0]=>
> string(5) "0Ȅ y"
> }
> array(1) {
> [0]=>
> string(1) "0"
> }
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2011-06-20 11:02:19 UTC
CVE-2011-1148 (
  Use-after-free vulnerability in the substr_replace function in PHP 5.3.6 and
  earlier allows context-dependent attackers to cause a denial of service
  (memory corruption) or possibly have unspecified other impact by using the
  same variable for multiple arguments.
Comment 2 Agostino Sarubbo gentoo-dev 2011-09-13 22:12:32 UTC
Security Enhancements and Fixes in PHP 5.3.7:
Fixed bug #54238 (use-after-free in substr_replace()). (CVE-2011-1148)

Please add glsa request.
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2011-09-19 19:00:03 UTC
Thanks, everyone. Added to existing request.
Comment 4 Tobias Heinlein (RETIRED) gentoo-dev 2011-10-10 20:45:18 UTC
This issue was resolved and addressed in
 GLSA 201110-06 at
by GLSA coordinator Tobias Heinlein (keytoaster).