|
Message-Id: <201209062056.30161.geissert@debian.org> Date: Thu, 6 Sep 2012 20:56:24 -0500 From: Raphael Geissert <geissert@...ian.org> To: oss-security@...ts.openwall.com Subject: Re: Re: php header() header injection detection bypass On Wednesday 05 September 2012 12:05:43 cve-assign@...re.org wrote: [...] > In the actual situation, the > https://bugs.php.net/patch-display.php?bug_id=60227&patch=SAPI.diff&revis > ion=1320563128 patch had a logic flaw related to the "((p = memchr(s, > '\n', (e - s))) || (p = memchr(s, '\r', (e - s))))" expression. MITRE > prefers to categorize this type of situation as an "incorrect fix" not an > "incomplete fix." Admittedly, for many CVE users it doesn't matter. You are indeed right, it is is better to categorize it as an incorrect fix. > Note 2: We probably haven't found the exact affected 5.4.0RC versions, > but this doesn't matter much because those versions aren't widely > used. Specifically, we don't know whether there's a supported download > location for every pre-release version that ever existed, but we > happened to find the http://php.marvel.strk.jp/archive/ directory. > Here, 5.4.0alpha3 (August 2011) does not check for '\r' at all, > whereas 5.4.0RC2 (December 2011) can check for '\r' but has the > above-mentioned logic flaw. This is consistent with the 2011-11-06 SVN > date listed in bug 60227. Since RCs and alphas are published in user dirs, and not in the main release system, I don't think they are actively archived. However, taking a look at the 5.4.0RC1 tag in git, it seems the issue was indeed introduced in RC2: https://github.com/php/php-src/blob/php-5.4.0RC1/main/SAPI.c#L715 And to confirm it in RC2: https://github.com/php/php-src/blob/php-5.4.0RC2/main/SAPI.c#L715 Regards, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.