Package: php4 Version: 4:4.3.10-16 Severity: normal Tags: Hi, I've just been forwarded this and tested it with sarge's apache1.3 module and php4-cli, and sid's php4-cli (4:4.4.2-1+b1). It seems that php4 is vulnerable to the wordwrap() heap overflow described here:
http://www.infigo.hr/en/in_focus/advisories/INFIGO-2006-04-02 Two other bugs are described in the advisory, one is a memory exhaustion bug which at first sight looks like "works as designed", and the other is a php5 only bug which I haven't tested. Even the wordwrap case looks unlikely to happen in a real app, if it needs the extra-long break argument given in the PoC example <? $a = str_repeat ("A",438013); $b = str_repeat ("B",951140); wordwrap ($a,0,$b,0); ?> Manual says: string wordwrap ( string str [, int width [, string break [, bool cut]]] ) Returns a string with str wrapped at the column number specified by the optional width parameter. The line is broken using the (optional) break parameter. Anyway, I don't have an idea if any of these are exploitable, but I'm tempted to add a security tag on it just in case. Regards, Zoran -- System Information: Debian Release: 3.1 Architecture: i386 (i686) Kernel: Linux 2.6.14.7 Locale: LANG=C, LC_CTYPE=hr_HR (charmap=ISO-8859-2) Versions of packages php4 depends on: ii libapache-mod-php4 4:4.3.10-16 server-side, HTML-embedded scripti ii libapache2-mod-php4 4:4.3.10-16 server-side, HTML-embedded scripti ii php4-common 4:4.3.10-16 Common files for packages built fr -- debconf information excluded -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]