A few months ago, I stumbled upon a 24 years old buffer overflow in the glibc, the base library for linux programs. Despite being reachable in multiple well-known libraries or executables, it proved rarely exploitable — while it didn't provide much leeway, it required hard-to-achieve preconditions. Looking for targets lead mainly to disappointment. On PHP however, the bug shone, and proved useful in exploiting its engine in two different ways.
This page is short for now but it will get updated as I learn more about the incident. Most likely it will be during the first week of April 2024.
The Git repositories of XZ projects are on git.tukaani.org.
xz.tukaani.org DNS name (CNAME) has been removed. The XZ projects currently don’t have a home page. This will be fixed in a few days.