'Re: [oss-security] CVE request: is_a() function may allow arbitrary code execution in PHP 5.3.7/5.3.'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE request: is_a() function may allow arbitrary code execution in PHP 5.3.7/5.3.
From:       Josh Bressers <bressers () redhat ! com>
Date:       2011-09-27 18:26:23
Message-ID: c95a1a9e-b5f9-46ff-b9eb-324858da6e74 () zmail01 ! collab ! prod ! int ! phx2 ! redhat ! com
[Download RAW message or body]

Let's use CVE-2011-3379 for this.

Thanks.

-- 
    JB

----- Original Message -----
> Could a CVE be assigned for this flaw?  PHP 5.3.7 changed how the
> is_a()
> function worked, and as a result it could allow for remote arbitrary
> code execution if certain specific conditions are met (the blog post
> referenced below has a good writeup of the flaw).
> 
> http://www.byte.nl/blog/2011/09/23/security-bug-in-is_a-function-in-php-5-3-7-5-3-8/
> https://bugs.php.net/bug.php?id=55475
> https://bugzilla.redhat.com/show_bug.cgi?id=741020
> 
> It looks like this is the fix:
> 
> http://svn.php.net/viewvc/?view=revision&amp;revision=317183
> 
> Thanks.
> 
> --
> Vincent Danen / Red Hat Security Response Team
> 
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic