|
Message-ID: <54AEB831.9080002@internot.info>
Date: Fri, 09 Jan 2015 04:02:41 +1100
From: Joshua Rogers <oss@...ernot.info>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request: PHP
On 08/01/15 22:11, Joshua Rogers wrote:
> CVE Request 2:
>
> Uninitalized Pointer Read in PHP core('fopen()')
> Bug report: https://bugs.php.net/bug.php?id=68692&edit=2
> Commit fix:
> http://git.php.net/?p=php-src.git;a=commit;h=7ebdc8d70d7617f2c3353b027663ef54a24a2248
Not a valid security risk. In all cases of the 'vulnerable' function
being used, a specific case is not true, which means that it cannot be
exploited.
>> if (!(stream = php_stream_open_wrapper(p + 10, mode,
>> options, opened_path))) {
>> efree(pathdup);
>> return NULL;
>> }
'stream' must be false when php_stream_apply_filter_list is called,
which for all cases in the PHP code, cannot be.
> CVE Request 3:
> Uninitalized Pointer Read in PHP core
> Bug report: https://bugs.php.net/bug.php?id=68694&edit=2
> Commit fix:
> http://git.php.net/?p=php-src.git;a=commit;h=f3ea1b0b6a42a08093bf9191ad76fb4b5e0a653b
This is invalid too.
It requires, like the request #2, for 'stream' to be NULL.
> for (key = php_strtok_r(tmp, ",", &lasts);
In this case, 'tmp' must be NULL for it to crash/be exploited.
But tmp is defined:
> tmp = estrndup(new_value->val, new_value->len);
estrndup uses "emalloc", which like the other one from a few days ago
that I revoked, doesn't return NULL, but just crashes the program with
out-of-memory exit.
Thanks,
--
-- Joshua Rogers <https://internot.info/>
Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.