News New 28 year old Php/gnu c buffer overflow vulnerability.

[DJones]

NVD - CVE-2024-2961

nvd.nist.gov

Breakdown of vulnerability. (Not sponsored):

Note that php is not in the asuswrt-merlin firmware, but can be installed via entware.

 

[coxhaus]

Sounds like this is Linux based so I assume it does not apply to Pfsense not being Linux based.

 

[DJones]

Sounds like this is Linux based so I assume it does not apply to Pfsense not being Linux based.

I believe in this instance that is correct. PFsense and OPNsense are FreeBSD based.

 

[RMerlin]

Note that PHP is only a mean to exploit the issue, the core of the issue is in glibc itself. But I guess since nobody knows what glibc but a lot of people have heard of PHP, it got publicized that way...

That same PHP would probably be safe if your platform used musl.

 

[sfx2000]

Note that PHP is only a mean to exploit the issue, the core of the issue is in glibc itself. But I guess since nobody knows what glibc but a lot of people have heard of PHP, it got publicized that way...

That same PHP would probably be safe if your platform used musl.

Yeah - this is one of those classic stack-smashing things, and it's not just on glibc or php... it's a common risk.

It could happen on a device that uses MUSL if the binaries statically link to a glibc, libc, or uclibc that doesn't have protection there...

CWE - CWE-787: Out-of-bounds Write (4.14)

Common Weakness Enumeration (CWE) is a list of software weaknesses.

cwe.mitre.org