Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 16 Jun 2015 13:24:56 -0400 (EDT)
Subject: Re: CVE Request: various issues in PHP

Hash: SHA1

>> > >>,
>> > >> - various functions allow
>> > >> \0 in paths where they shouldn't. In theory, that could lead to
>> > >> security failure for path-based access controls if the user
>> > >> injects string with \0 in it. It's a bit theoretical, but it's a
>> > >> possibility.
>> CVE-2015-4025, CVE-2015-4026 respectively.

> Both of these CVEs are addressed in a single commit, that also covers
> few other functions not mentioned in either of the two bug reports
> (dir()/opendir() and chroot()). Which CVE do those additional fixes
> fall under? They are not 5.4 regressions, so probably not
> CVE-2015-4025, but maybe not under CVE-2015-4026 either given that bug
> 68598 only mentions pcntl_exec().

In this type of situation, CVEs are assigned on a per-discoverer basis.
CVE-2015-4025 is for discoveries, whereas
CVE-2015-4026 is for See:

> dir()/opendir() and chroot()

Four weeks ago, we asked to contact us if those other
changed functions were associated with vulnerability fixes. They have
not contacted us about this.

Are you reporting that some or all of them had vulnerabilities?

For example, is it reasonable to expect that a PHP application may
want the client to make a choice of a chroot directory, and the
intended behavior is to restrict the choice to a name ending in ".d"
but this can be bypassed by something like a
"/usr/local/var/x/does-not-end-in-dot-d\0.d" value?

> More CVE-2015-4025 / CVE-2015-4026 / CVE-2006-7243 like issues. More
> notes on what got changed is in RHBZ:

The vulnerability discoveries in bug 69353 were assigned
CVE-2015-3411 in April. The additional vulnerability discoveries in:;a=commit;h=52b93f0cfd3cba7ff98cc5198df6ca4f23865f80;a=commit;h=4435b9142ff9813845d5c97ab29a5d637bedb257

were assigned CVE-2015-3412.

Use CVE-2015-4598 for the vulnerability discoveries.

> More unserialize issues.


Use CVE-2015-4599 for the discovery fixed in


Use CVE-2015-4600 for the discoveries in bug
69152 that were fixed in 0c136a2abd49298b66acb0cad504f0f972f5bfe8 -
SoapClient::__getLastRequest, SoapClient::__getLastResponse,
SoapClient::__getLastResponseHeaders, SoapClient::__getCookies, and

Use CVE-2015-4601 for the other vulnerabilities fixed in
0c136a2abd49298b66acb0cad504f0f972f5bfe8, with the exception that the
issue involving the uri property in do_soap_call is already covered by


Use CVE-2015-4602 for this issue mentioned at [2015-03-20 14:58 UTC]
in bug 69152.

> [2015-03-03 04:30 UTC]

Use CVE-2015-4603 for the exception::getTraceAsString issue. As
mentioned at [2015-03-25 09:57 UTC], the affected versions for this
issue are different from those of other issues discussed in bug 69152.

> Fileinfo DoS.

Use CVE-2015-4604 for the violation of the "mget() guarantees buf <=
last" constraint suggested in the [2015-02-05 13:53 UTC] comment.

Use CVE-2015-4605 for the issue in which offset can exceed bytecnt,
suggested in the [2015-02-09 17:10 UTC] comment.

These might be conceptually overlapping discoveries, but we decided to
have the two CVE IDs.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.14 (SunOS)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.