this is a warning to anyone using php

1:25 “may overflow the output buffer”

Everybody drink!

jdietz

Bro the NSA is getting all of their exploits leaked 💀

zettabitepragmara

Is it me, YouTube's algorithm, or have there been quite a few big vulnerabilities lately? Don't get me wrong, it's good we're catching them, but they're a good reason for good update/patch management.

rbgtk

UTF-8 and UTF-16 are NOT just the english character sets. They're literally all character sets, cause it's you know...unicode. English characters would be ASCII which UTF-8 is backwards compatible with.

Scoopta

sending chills down my spine with "SET THE CHARSET TO RCE" 💀🔥🔥

BareTuna

As a php dev, this does not surprise me at all. *Continues to code in php 5.6*

alsjourney

"Update glibc" could use some clarification. If a distribution has an official update available (and many distros will incorporate the patch into their supported versions), then by all means, but be prepared for serious complications when installing a version of glibc your distribution doesn't support.

titop.

These videos are a great way to be notified of things like this, and appreciate you taking the time to explain the bugs too!

I work for a web hosting company as a developer, not as security - but I alerted our security team to this thanks to you.

ConnorMoody

so happy I never really did much complicated stuff with PHP in all projects I still have out there. I essentially just went `php index.php => index.html` and replaced the files on the production server for every project still using PHP and that basically saved me from having to look into 99% of CVEs for php. I mean I am still running PHP on an apache host, but since it's managed by the hosting provider it's their job to fix what's left.

Mitsunee_

brb, writing a middleware that removes the charset header from the requests LOL

thedevminer

0:43 you should say "most Linux distributions". for example alpine runs on musl and also gentoo has a musl option.

mtxn

In ancient times burned once by external library wich theoretically has versioning but forgot about it i started round external structures or buffers with 256 or 512 bytes of "spares", which saved me ours of debugging strange errors or showed very beneficial to stability (additionaly i zeroed those spares before and after call)

AK-vxdy

this should affect every web request system, not just php that can accept and react to that http header, including node, it uses glibc too, and does accept http headers

"Hellow my name is Oliverlearning"

is what my brain heard for some reason xD

kartonrad

Why it is reported as php bug?
It is glibc bug, but I get it more now... it is just php bad luck... or unfortaunte decision of placing buffer

AK-vxdy

This title is so misleading. The vulnerability is not in PHP and it can only be exploited if you use user supplied inputs when calling the iconv-function and not filtering on allowed values for the conversion.

anonde

A tech talker explaining that UTF-8 is English encoded, is like a car mechanic explaining that oil goes into the inlet for the heating system.

robertvangeel

Two notes, this isn't a Linux only bug, GCC is used for windows PHP deployments as well.

Chinese uses double or even quad byte characters depending on the encoding. Since it seems to require installation of Chinese support and requires chaining that limits the vulnerability substantially.

orbatos

Fake news, they just want to take our lambos!

jamesrobinson

This impacts basically everything, not just php lol

gg-gnre