Date: Thu, 6 Sep 2012 20:56:24 -0500 From: Raphael Geissert <geissert@...ian.org> To: oss-security@...ts.openwall.com Subject: Re: Re: php header() header injection detection bypass On Wednesday 05 September 2012 12:05:43 cve-assign@...re.org wrote: [...] > In the actual situation, the > https://bugs.php.net/patch-display.php?bug_id=60227&patch=SAPI.diff&revis > ion=1320563128 patch had a logic flaw related to the "((p = memchr(s, > '\n', (e - s))) || (p = memchr(s, '\r', (e - s))))" expression. MITRE > prefers to categorize this type of situation as an "incorrect fix" not an > "incomplete fix." Admittedly, for many CVE users it doesn't matter. You are indeed right, it is is better to categorize it as an incorrect fix. > Note 2: We probably haven't found the exact affected 5.4.0RC versions, > but this doesn't matter much because those versions aren't widely > used. Specifically, we don't know whether there's a supported download > location for every pre-release version that ever existed, but we > happened to find the http://php.marvel.strk.jp/archive/ directory. > Here, 5.4.0alpha3 (August 2011) does not check for '\r' at all, > whereas 5.4.0RC2 (December 2011) can check for '\r' but has the > above-mentioned logic flaw. This is consistent with the 2011-11-06 SVN > date listed in bug 60227. Since RCs and alphas are published in user dirs, and not in the main release system, I don't think they are actively archived. However, taking a look at the 5.4.0RC1 tag in git, it seems the issue was indeed introduced in RC2: https://github.com/php/php-src/blob/php-5.4.0RC1/main/SAPI.c#L715 And to confirm it in RC2: https://github.com/php/php-src/blob/php-5.4.0RC2/main/SAPI.c#L715 Regards, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ