Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20150616172456.ADCE052E1F7@smtpvbsrv1.mitre.org>
Date: Tue, 16 Jun 2015 13:24:56 -0400 (EDT)
From: cve-assign@...re.org
To: thoger@...hat.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, kaplanlior@...il.com, security@....net
Subject: Re: CVE Request: various issues in PHP

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>> > >> https://bugs.php.net/bug.php?id=69418,
>> > >> https://bugs.php.net/bug.php?id=68598 - various functions allow
>> > >> \0 in paths where they shouldn't. In theory, that could lead to
>> > >> security failure for path-based access controls if the user
>> > >> injects string with \0 in it. It's a bit theoretical, but it's a
>> > >> possibility.
>>
>> CVE-2015-4025, CVE-2015-4026 respectively.

> Both of these CVEs are addressed in a single commit, that also covers
> few other functions not mentioned in either of the two bug reports
> (dir()/opendir() and chroot()). Which CVE do those additional fixes
> fall under? They are not 5.4 regressions, so probably not
> CVE-2015-4025, but maybe not under CVE-2015-4026 either given that bug
> 68598 only mentions pcntl_exec().

In this type of situation, CVEs are assigned on a per-discoverer basis.
CVE-2015-4025 is for thoger@...hat.com discoveries, whereas
CVE-2015-4026 is for yohgaki@....net. See:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4025
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4026

> dir()/opendir() and chroot()

Four weeks ago, we asked security@....net to contact us if those other
changed functions were associated with vulnerability fixes. They have
not contacted us about this.

Are you reporting that some or all of them had vulnerabilities?

For example, is it reasonable to expect that a PHP application may
want the client to make a choice of a chroot directory, and the
intended behavior is to restrict the choice to a name ending in ".d"
but this can be bypassed by something like a
"/usr/local/var/x/does-not-end-in-dot-d\0.d" value?


> https://bugs.php.net/bug.php?id=69353
> http://git.php.net/?p=php-src.git;a=commitdiff;h=52b93f0cfd3cba7ff98cc5198df6ca4f23865f80
>
> More CVE-2015-4025 / CVE-2015-4026 / CVE-2006-7243 like issues. More
> notes on what got changed is in RHBZ:
> https://bugzilla.redhat.com/show_bug.cgi?id=1213407#c5

The neal@...com vulnerability discoveries in bug 69353 were assigned
CVE-2015-3411 in April. The additional vulnerability discoveries in:

  http://git.php.net/?p=php-src.git;a=commit;h=52b93f0cfd3cba7ff98cc5198df6ca4f23865f80
  http://git.php.net/?p=php-src.git;a=commit;h=4435b9142ff9813845d5c97ab29a5d637bedb257

were assigned CVE-2015-3412.


Use CVE-2015-4598 for the https://bugs.php.net/bug.php?id=69719
thoger@...hat.com vulnerability discoveries.


> More unserialize issues.

> https://bugs.php.net/bug.php?id=69152
> http://git.php.net/?p=php-src.git;a=commitdiff;h=51856a76f87ecb24fe1385342be43610fb6c86e4

Use CVE-2015-4599 for the taoguangchen@...oud.com discovery fixed in
51856a76f87ecb24fe1385342be43610fb6c86e4.


> http://git.php.net/?p=php-src.git;a=commitdiff;h=0c136a2abd49298b66acb0cad504f0f972f5bfe8

Use CVE-2015-4600 for the taoguangchen@...oud.com discoveries in bug
69152 that were fixed in 0c136a2abd49298b66acb0cad504f0f972f5bfe8 -
SoapClient::__getLastRequest, SoapClient::__getLastResponse,
SoapClient::__getLastRequestHeaders,
SoapClient::__getLastResponseHeaders, SoapClient::__getCookies, and
SoapClient::__setCookie.

Use CVE-2015-4601 for the other vulnerabilities fixed in
0c136a2abd49298b66acb0cad504f0f972f5bfe8, with the exception that the
issue involving the uri property in do_soap_call is already covered by
CVE-2015-4148.


> http://git.php.net/?p=php-src.git;a=commitdiff;h=fb83c76deec58f1fab17c350f04c9f042e5977d1

Use CVE-2015-4602 for this issue mentioned at [2015-03-20 14:58 UTC]
in bug 69152.


> https://bugs.php.net/bug.php?id=69152 [2015-03-03 04:30 UTC]

Use CVE-2015-4603 for the exception::getTraceAsString issue. As
mentioned at [2015-03-25 09:57 UTC], the affected versions for this
issue are different from those of other issues discussed in bug 69152.


> https://bugs.php.net/bug.php?id=68819
> http://git.php.net/?p=php-src.git;a=commitdiff;h=f938112c495b0d26572435c0be73ac0bfe642ecd
>
> Fileinfo DoS.

Use CVE-2015-4604 for the violation of the "mget() guarantees buf <=
last" constraint suggested in the [2015-02-05 13:53 UTC] comment.

Use CVE-2015-4605 for the issue in which offset can exceed bytecnt,
suggested in the [2015-02-09 17:10 UTC] comment.

These might be conceptually overlapping discoveries, but we decided to
have the two CVE IDs.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVgFr7AAoJEKllVAevmvmsFpoIAKk541flrgppkYnl6DhxQ49O
YKc29nQQrmGL9yZLMkGbOX2onVwCOhD4cUKVrPGNadiMhCL3uzBl3aIf6eVrWdBA
8Dqv7/1w14dAfinrRsGl+5pA+SnNhrMLhoCGecAHBVUjPJckP69PtM4h2/AqAXxv
hxpRMZi9+demSpUUitA5Gik0f4uw8BllarCciZH/FgwCkIflqDGQ7nN80MnBwWl7
XLrIqdM81hksELsCYtWpN6LESwIwmRZWCLHeqilQiRdU2DSU1BRAYkVyef06Xyu5
WZdx1RJBNb63rwfqdEERR9Bkuu4tX4WJa9yC0YykdI6eUJZU1CLBu/i4xqhhlWE=
=CFDR
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.