CVE-2010-4657

First published: Wed Oct 06 2010(Updated: )

Kees Cook reported an information leak flaw in the PHP's XMLWriter, triggered by an invalid UTF-8 string passed to the writeAttribute method: <a href="http://thread.gmane.org/gmane.comp.security.oss.general/4122">http://thread.gmane.org/gmane.comp.security.oss.general/4122</a> <a href="http://bugs.php.net/bug.php?id=52998">http://bugs.php.net/bug.php?id=52998</a> <a href="https://bugzilla.gnome.org/show_bug.cgi?id=631551">https://bugzilla.gnome.org/show_bug.cgi?id=631551</a> In the initial report, it was unclear if this is PHP or libxml2 flaw. libxml2 upstream author's reply in the gnome bugzilla bug suggests this issue needs to be addressed in PHP, as the libxml2 API requires input to be valid UTF-8 and \0 terminated string.

Credit: secalert@redhat.com

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/redhat-cve
• collector/redhat-bugzilla
• alias/CVE-2010-4657
• collector/security-tracker-debian
• agent/type
• agent/last-modified-date
• agent/first-publish-date
• agent/weakness
• agent/severity
• agent/references
• agent/author
• agent/description
• agent/event
• agent/tags
• agent/softwarecombine
• collector/nvd-historical
• agent/software-canonical-lookup-request
• collector/nvd-index
• package-manager/debian
• vendor/php
• canonical/php
• version/php/5.0.0
• vendor/redhat
• canonical/red hat enterprise linux
• version/red hat enterprise linux/6.0
• version/red hat enterprise linux/5.0
• vendor/debian
• canonical/debian gnu/linux
• version/debian gnu/linux/8.0