oss-sec mailing list archives
Re: CVE request (PHP 5.3.x getSymbol() DoS; CERT VU#479900)
From: Maksymilian Arciemowicz <cxib () securityreason com>
Date: Wed, 8 Dec 2010 14:27:22 +0000 (UTC)
Tomas Hoger <thoger@...> writes:
On Tue, 7 Dec 2010 22:43:17 +0000 (UTC) Maksymilian Arciemowicz wrote:Btw, setSymbol() is affected too, and does not seem to be addressed in r305571. In both cases, it's PHP exposing ICU bug.setSymbol() give only DoS with strlen(NULL) [CWE-170].I don't see that with ICU 4.2.1 and PHP 5.3.3. Please clarify if you see some different results with different ICU or PHP. Or maybe using different way to call setSymbol().
my mistake, not setSybol() but getLocale()
$nx=new IntlDateFormatter("pl", IntlDateFormatter::FULL,
IntlDateFormatter::FULL);
$nx->getLocale(1);
Current thread:
- CVE request (PHP 5.3.x getSymbol() DoS; CERT VU#479900) Vincent Danen (Dec 06)
- Re: CVE request (PHP 5.3.x getSymbol() DoS; CERT VU#479900) Steven M. Christey (Dec 06)
- Re: CVE request (PHP 5.3.x getSymbol() DoS; CERT VU#479900) Vincent Danen (Dec 06)
- Re: CVE request (PHP 5.3.x getSymbol() DoS; CERT VU#479900) Tomas Hoger (Dec 07)
- Re: CVE request (PHP 5.3.x getSymbol() DoS; CERT VU#479900) Maksymilian Arciemowicz (Dec 07)
- Re: Re: CVE request (PHP 5.3.x getSymbol() DoS; CERT VU#479900) Tomas Hoger (Dec 08)
- Re: CVE request (PHP 5.3.x getSymbol() DoS; CERT VU#479900) Maksymilian Arciemowicz (Dec 08)
- Re: Re: CVE request (PHP 5.3.x getSymbol() DoS; CERT VU#479900) Tomas Hoger (Dec 08)
- Re: CVE request (PHP 5.3.x getSymbol() DoS; CERT VU#479900) Maksymilian Arciemowicz (Dec 07)
- Re: CVE request (PHP 5.3.x getSymbol() DoS; CERT VU#479900) Steven M. Christey (Dec 06)
- Re: CVE request (PHP 5.3.x getSymbol() DoS; CERT VU#479900) Tomas Hoger (Dec 09)