96816 2003-03-25  17:47  /55 rader/ Sir Mordred <mordred@s-mail.com>
Importerad: 2003-03-25  17:47  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <4142>
Ärende: @(#)Mordred Labs advisory - Integer overflow in PHP socket_iovec_alloc() function
------------------------------------------------------------

//@(#) Mordred Security Labs advisory

Release date: March 25, 2003 Name: Integer overflow in PHP
socket_iovec_alloc() function Versions affected: < 4.3.2 Conditions:
PHP must be compiled with --enable-sockets option, which is turned
off by default Risk: average Author: Sir Mordred (mordred@s-mail.com)

I. Description:

PHP is a widely-used general-purpose scripting language that is
especially suited for Web development and can be embedded into HTML.
Please visit http://www.php.net for more information about PHP.

The PHP socket extension implements a low-level interface to the
socket communication functions based on the popular BSD sockets,
providing the possibility to act as a socket server as well as a
client...

To enable this extenstion PHP should be compiled with --enable-sockets
option.

II. Details:

There exists an integer overflow in socket_iovec_alloc() function.
When requestiong the following php script, a httpd child will die
with the error message: child pid <pidnum> exit signal Segmentation
fault (11)

$ cat t.php
<?php
    socket_iovec_alloc(0x20000000);
?>

III. Platforms tested

Linux 2.4 with Apache 1.3.27 / PHP 4.3.1

III. Workaround

Don't use the sockets extension.

IV. Vendor response

Vendor notified, issue will be fixed in PHP 4.3.2.



________________________________________________________________________
This letter has been delivered unencrypted. We'd like to remind you
that the full protection of e-mail correspondence is provided by
S-mail encryption mechanisms if only both, Sender and Recipient use
S-mail.  Register at S-mail.com: http://www.s-mail.com
(96816) /Sir Mordred <mordred@s-mail.com>/(Ombruten)