The final version of PHP 5.2.0
has been released today after lots of release candidates. The new version contains lots of bugfixes. Some of these fix several security vulnerabilities. Included is also a fix for the integer overflow in unserialize() that was reported by us a while ago. It also includes a last minute fix for a serious vulnerability we discovered 2 days ago.
PHP's HTML Entity Encoder that is exposed to userinput by the htmlentities() and htmlspecialchars() functions contains a bufferoverflow in UTF-8 character handling. This can be exploited to execute arbitrary code. What an irony that functions supposed to protect against XSS vulnerabilities infact create more serious code execution holes in your applications. An advisory with more detailed information was released here.
This once again proves that it is a good idea to use our Suhosin-Patch because it adds canary and safeunlink protection to the Zend Memory Manager which makes this vulnerability a lot harder or in most cases impossible to exploit.
Suhosin-Patch for PHP 5.2.0 will be released tommorow.
PS: Suhosin-Patch is now also activated by default in OpenBSD.