Date: Sat, 01 Sep 2012 20:01:38 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Raphael Geissert <geissert@...ian.org> Subject: Re: php header() header injection detection bypass -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/31/2012 04:42 PM, Raphael Geissert wrote: > Hi, > > On Friday 31 August 2012 13:38:16 Kurt Seifried wrote: >> Apologies in advance for my questions but I'm a bit confused >> (also I don't have access to PHP security bugs so I'm a bit in >> the dark here). >> >> 1) I don't see #54182 and #54006 in the PHP ChangeLog, have these >> been fixed? > [...] >> 2) Are you saying that the "header injection detection bypass" >> wasn't completely fixed by the patches for #54182 and #54006, and >> then someone reported #60227, originally reported as #60028 which >> has been fixed needs a second CVE (e.g. the "an incomplete fix >> for original issue led to a second fix being pushed" thing)? > > All the bug reports I mentioned are about exactly the same issue. > The non- public ones have been marked as duplicates of the public > one. > > I'm aware of at least 5.4.0 RC5 containing the incomplete fix, > but I don't know in which exact RC version it made its way into. > 5.4.0 beta2 was still vulnerable to CVE-2011-1398. > > PHP 5.4.1 RC1 already had the proper fix. > > So, since at least PHP 5.4.0 had the incomplete fix, I guess a new > CVE for the incomplete fix is in order. Kurt, could you please > assign one? > > Please let me know if it's not clear enough yet. > > http://svn.php.net/viewvc/?view=revision&revision=318820 > (referenced from #60227) This is perfect, thanks. Please use CVE-2012-4388 for the incomplete fix for CVE-2011-1398. (this would be easier if the old bug entries were public =). > Cheers, - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQIcBAEBAgAGBQJQQr4CAAoJEBYNRVNeJnmT8fgP/j8WIOL6loD6wXovpCS1gwlj A/wkadlal5XgFQ01MJaJnjy9p+CkztoofUjMuwGIkJHhDsvvBVzE8w9pbSNhoZfn FMX9m2sP3VAuD5vyTizkmlC4hH3/OufAnglJaLxENa+MX0nUhtkzOnd8g9PA/aLG 9pMjCZBcsL2GPN8C3XrokIao3LwyDTUT1aamOGJKcY3bw439NTZjSzk3cAP8nCPA FvwZsAuZ8Hout4V8szmTJr6yLx6OfA5Al44dhFqjUEuHKTZSpUDbR86UOByrO9fJ ALPxX7Z8JmHD3EiiSs4BgTfubd783ovONdSUJsiNFidQoYlna8mPpw9Qgt692sSR n2KXHk958mujRR6/Bc1lds6FdT7Qg+4usOs8cj3VVltDc+UpKm4oBTZ+jbnl+TQo iXfQGpWzwZ/caOAoozBpUikVZlZdT6xu2PfLrwSiqVZ+MRvD1p07IWWHMEeNma7c FZtE4OsmtmYaSX/xSkgPBLIzLjOlVJdkH4694ACuhiR62iwxy2vvLYqGx2+Spmzg WXJ5iLF/QHyJFJZYFostGtOaIGqW9b9GLHve8f0xyhneJRRi7Tw5h0A14GhHEbpY lH37OTKZ0oKVUErLpXlw8zblwsrgUWJPcJpIRkdvxz9li33FOY7jasSKsJGXhOYl L+x3hnfMOaRizpGA40nK =knYF -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ