Home page logo

bugtraq logo Bugtraq mailing list archives

RE: FUD-ALARM: @(#)Mordred Labs advisory - Integer overflow in PHP memory allocator
From: Stefan Esser <s.esser () e-matters de>
Date: Thu, 27 Mar 2003 11:03:14 +0100

Hello Mr. Mordred (and the rest of the Bugtraq readers),

I happily repeat everything I wrote to you before. Your advisories are
FUD. You release an advisory called: Integer overflow in PHP memory
allocator, rate it as High Risk, but you present the reader some stupid
crash bug in the socket extension that is marked as experimental and
is not enabled by default. I told you before, that the integer over-
flow cannot be used to exploit PHP. If you find a single emalloc call
where some user supplied value is able to allocate a block in the size 
of 4 Gigabyte (on 32bit maschines), then you have found a vulnerability.
Just stating that there is a possible integer overflow if someone 
allocates more than 2^32-7 bytes (2^64-7 bytes) is a joke. A vulnerability
that cannot be exploited may not be rated as: high risk. This can be
compared to calling strcpy a security vulnerability because it can be 
used by a stupid PHP core/extension programmer to produce a bufferoverflow.

Stefan Esser


 Stefan Esser                                        s.esser () e-matters de
 e-matters Security                         http://security.e-matters.de/

 GPG-Key                gpg --keyserver pgp.mit.edu --recv-key 0xCF6CAE69 
 Key fingerprint       B418 B290 ACC0 C8E5 8292  8B72 D6B0 7704 CF6C AE69
 Did I help you? Consider a gift:            http://wishlist.suspekt.org/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]