Several format string flaws were found in PHP's Phar extension [1] that could be used to leak some parts of memory via error messages. These have been corrected in upstream svn [2]. The Phar extension is part of PHP since 5.3.0. This is demonstrated with the following: <?php $x = new PharData('a.php'); $x->loadPhar("%08x.%08x.%08x.%08x.%08x"); ?> % php phar.php PHP Fatal error: Uncaught exception 'PharException' with message 'unable to open phar for reading "00000000.00000008.00000000.bffb3624.081ef712"' in /tmp/tests/phar.php:4 Stack trace: #0 /tmp/tests/phar.php(4): PharData::loadPhar('%08x.%08x.%08x....') #1 {main} thrown in /tmp/tests/phar.php on line 4 [1] http://bugs.php.net/bug.php?id=54247 [2] http://svn.php.net/viewvc?view=revision&revision=309221
I'm not very familiar with these phar archives, but I suspect these would not be something a user could just upload (or a normal site would allow to be uploaded and then loaded), so I believe this flaw is probably more of a local flaw, than a remote flaw.
Statement: Red Hat does not consider this flaw to be a security issue. It is improbable that a script would accept untrusted user input or unvalidated script input data as a PHAR archive file name to load. The file name passed to the PHAR-handling functions is therefore under the full control of the script author and no trust boundary is crossed.