On 9 October 2012 12:49, Paul Dwerryhouse <paul@dwerryhouse.com.au> wrote:
On 09/10/12 12:01, Andrew Worsley wrote:
Debian security tracker reports this is fixed in squeeze(5.3.3-7) but *NOT* in wheezy (5.4.4-7)- see
My next question is where that page is getting its information from, too, because it doesn't look correct to me.
I can't find any information anywhere that says CVE-2011-1148 applies to php 5.4. It was fixed in 5.3.7 in August 2011, and version 5.4.4 (the version in wheezy) came out in June 2012.
Unless Debian has backported a patch that reintroduced the vulnerability, I am sceptical about it being vulnerable.
I guess you could always test via this test data: https://bugs.php.net/bug.php?id=54238 Test script: --------------- <?php $f = array(array('A', 'A')); $z = substr_replace($f, $f, $f, 1); var_dump($z, $f); Actual result: -------------- array(1) { [0]=> string(5) "0Dd y" } array(1) { [0]=> string(1) "0" }