Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 6 Sep 2012 20:56:24 -0500
From: Raphael Geissert <>
Subject: Re: Re: php header() header injection detection bypass

On Wednesday 05 September 2012 12:05:43 wrote:
> In the actual situation, the
> ion=1320563128 patch had a logic flaw related to the "((p = memchr(s,
> '\n', (e - s))) || (p = memchr(s, '\r', (e - s))))" expression. MITRE
> prefers to categorize this type of situation as an "incorrect fix" not an
> "incomplete fix." Admittedly, for many CVE users it doesn't matter.

You are indeed right, it is is better to categorize it as an incorrect fix.

> Note 2: We probably haven't found the exact affected 5.4.0RC versions,
> but this doesn't matter much because those versions aren't widely
> used. Specifically, we don't know whether there's a supported download
> location for every pre-release version that ever existed, but we
> happened to find the directory.
> Here, 5.4.0alpha3 (August 2011) does not check for '\r' at all,
> whereas 5.4.0RC2 (December 2011) can check for '\r' but has the
> above-mentioned logic flaw. This is consistent with the 2011-11-06 SVN
> date listed in bug 60227.

Since RCs and alphas are published in user dirs, and not in the main release 
system, I don't think they are actively archived.

However, taking a look at the 5.4.0RC1 tag in git, it seems the issue was 
indeed introduced in RC2:
And to confirm it in RC2:

Raphael Geissert - Debian Developer -

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ