From mordred@s-mail.com Thu Mar 27 22:54:45 2003 From: Sir Mordred To: bugtraq@securityfocus.com Date: Tue, 25 Mar 2003 14:31:59 +0000 Subject: @(#)Mordred Labs advisory - Integer overflow in PHP socket_iovec_alloc() function [ The following text is in the "utf-8" character set. ] [ Your display is set for the "US-ASCII" character set. ] [ Some characters may be displayed incorrectly. ] //@(#) Mordred Security Labs advisory Release date: March 25, 2003 Name: Integer overflow in PHP socket_iovec_alloc() function Versions affected: < 4.3.2 Conditions: PHP must be compiled with --enable-sockets option, which is turned off by default Risk: average Author: Sir Mordred (mordred@s-mail.com) I. Description: PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. Please visit http://www.php.net for more information about PHP. The PHP socket extension implements a low-level interface to the socket communication functions based on the popular BSD sockets, providing the possibility to act as a socket server as well as a client... To enable this extenstion PHP should be compiled with --enable-sockets option. II. Details: There exists an integer overflow in socket_iovec_alloc() function. When requestiong the following php script, a httpd child will die with the error message: child pid exit signal Segmentation fault (11) $ cat t.php III. Platforms tested Linux 2.4 with Apache 1.3.27 / PHP 4.3.1 III. Workaround Don't use the sockets extension. IV. Vendor response Vendor notified, issue will be fixed in PHP 4.3.2. ________________________________________________________________________ This letter has been delivered unencrypted. We'd like to remind you that the full protection of e-mail correspondence is provided by S-mail encryption mechanisms if only both, Sender and Recipient use S-mail. Register at S-mail.com: http://www.s-mail.com