Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20150529170751.482ad9f4@redhat.com>
Date: Fri, 29 May 2015 17:07:51 +0200
From: Tomas Hoger <thoger@...hat.com>
To: oss-security@...ts.openwall.com
Cc: <kaplanlior@...il.com>, <security@....net>, cve-assign@...re.org
Subject: Re: Re: CVE Request: various issues in PHP

On Wed, 20 May 2015 15:49:34 +0200 Vasyl Kaigorodov wrote:

> > >> https://bugs.php.net/bug.php?id=69418,
> > >> https://bugs.php.net/bug.php?id=68598 - various functions allow
> > >> \0 in paths where they shouldn't. In theory, that could lead to
> > >> security failure for path-based access controls if the user
> > >> injects string with \0 in it. It's a bit theoretical, but it's a
> > >> possibility.
> 
> CVE-2015-4025, CVE-2015-4026 respectively.

Both of these CVEs are addressed in a single commit, that also covers
few other functions not mentioned in either of the two bug reports
(dir()/opendir() and chroot()).  Which CVE do those additional fixes
fall under?  They are not 5.4 regressions, so probably not
CVE-2015-4025, but maybe not under CVE-2015-4026 either given that bug
68598 only mentions pcntl_exec().


I think there are few fixes in 5.4.40 / 5.5.24 / 5.6.8 that should have
CVEs assigned:


https://bugs.php.net/bug.php?id=69353
http://git.php.net/?p=php-src.git;a=commitdiff;h=52b93f0cfd3cba7ff98cc5198df6ca4f23865f80

More CVE-2015-4025 / CVE-2015-4026 / CVE-2006-7243 like issues.  More
notes on what got changed is in RHBZ:
https://bugzilla.redhat.com/show_bug.cgi?id=1213407#c5


https://bugs.php.net/bug.php?id=69152
http://git.php.net/?p=php-src.git;a=commitdiff;h=0c136a2abd49298b66acb0cad504f0f972f5bfe8
http://git.php.net/?p=php-src.git;a=commitdiff;h=51856a76f87ecb24fe1385342be43610fb6c86e4
http://git.php.net/?p=php-src.git;a=commitdiff;h=fb83c76deec58f1fab17c350f04c9f042e5977d1

More unserialize issues.


https://bugs.php.net/bug.php?id=68819
http://git.php.net/?p=php-src.git;a=commitdiff;h=f938112c495b0d26572435c0be73ac0bfe642ecd

Fileinfo DoS.


Can CVEs be assigned for these?  Thank you!

-- 
Tomas Hoger / Red Hat Product Security

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.