mailing list archives
@(#)Mordred Labs advisory - Integer overflow in PHP socket_iovec_alloc() function
From: Sir Mordred <mordred () s-mail com>
Date: Tue, 25 Mar 2003 14:31:59 +0000
//@(#) Mordred Security Labs advisory
Release date: March 25, 2003
Name: Integer overflow in PHP socket_iovec_alloc() function
Versions affected: < 4.3.2
Conditions: PHP must be compiled with --enable-sockets option, which is
turned off by default
Author: Sir Mordred (mordred () s-mail com)
PHP is a widely-used general-purpose scripting language that is
especially suited for Web development and can be embedded into HTML.
Please visit http://www.php.net for more information about PHP.
The PHP socket extension implements a low-level interface to the socket
communication functions based on the popular BSD sockets, providing the
possibility to act as a socket server as well as a client...
To enable this extenstion PHP should be compiled with --enable-sockets
There exists an integer overflow in socket_iovec_alloc() function.
When requestiong the following php script, a httpd child will die with
the error message: child pid <pidnum> exit signal Segmentation fault (11)
$ cat t.php
III. Platforms tested
Linux 2.4 with Apache 1.3.27 / PHP 4.3.1
Don't use the sockets extension.
IV. Vendor response
Vendor notified, issue will be fixed in PHP 4.3.2.
This letter has been delivered unencrypted. We'd like to remind you that
the full protection of e-mail correspondence is provided by S-mail
encryption mechanisms if only both, Sender and Recipient use S-mail.
Register at S-mail.com: http://www.s-mail.com
- @(#)Mordred Labs advisory - Integer overflow in PHP socket_iovec_alloc() function Sir Mordred (Mar 25)