Kees Cook reported an information leak flaw in the PHP's XMLWriter, triggered by an invalid UTF-8 string passed to the writeAttribute method: http://thread.gmane.org/gmane.comp.security.oss.general/4122 http://bugs.php.net/bug.php?id=52998 https://bugzilla.gnome.org/show_bug.cgi?id=631551 In the initial report, it was unclear if this is PHP or libxml2 flaw. libxml2 upstream author's reply in the gnome bugzilla bug suggests this issue needs to be addressed in PHP, as the libxml2 API requires input to be valid UTF-8 and \0 terminated string.
Testing with the reproducer in upstream PHP bug, this is reproducible with PHP 5.3 packages in RHEL-6 (php) and RHEL-5 (php53). No visible leak on php (5.1.6) packages in RHEL-5. XMLWriter was introduced in 5.1.2, hence RHEL-4 php is unaffected.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2010-4657