//@(#) Mordred Security Labs advisory Release date: March 25, 2003 Name: Integer overflow in PHP socket_iovec_alloc() function Versions affected: < 4.3.2 Conditions: PHP must be compiled with --enable-sockets option, which is turned off by default Risk: average Author: Sir Mordred (mordred@s-mail.com) I. Description: PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. Please visit http://www.php.net for more information about PHP. The PHP socket extension implements a low-level interface to the socket communication functions based on the popular BSD sockets, providing the possibility to act as a socket server as well as a client... To enable this extenstion PHP should be compiled with --enable-sockets option. II. Details: There exists an integer overflow in socket_iovec_alloc() function. When requestiong the following php script, a httpd child will die with the error message: child pid <pidnum> exit signal Segmentation fault (11) $ cat t.php <?php socket_iovec_alloc(0x20000000); ?> III. Platforms tested Linux 2.4 with Apache 1.3.27 / PHP 4.3.1 III. Workaround Don't use the sockets extension. IV. Vendor response Vendor notified, issue will be fixed in PHP 4.3.2. ________________________________________________________________________ This letter has been delivered unencrypted. We'd like to remind you that the full protection of e-mail correspondence is provided by S-mail encryption mechanisms if only both, Sender and Recipient use S-mail. Register at S-mail.com: http://www.s-mail.com
This archive was generated by hypermail 2b30 : Tue Mar 25 2003 - 08:48:02 PST