Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <20160529032255.12FC7332079@smtpvbsrv1.mitre.org>
Date: Sat, 28 May 2016 23:22:55 -0400 (EDT)
From: cve-assign@...re.org
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: Re: Fwd: PHP-FPM fpm_log.c memory leak and buffer overflow

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> Date: Tue, 2 Feb 2016 17:10:22 +0100
> To: <oss-security@...ts.openwall.com>

> Date:	Mon, 25 Jan 2016 16:50:38 +0100
> To:	bugtraq@...urityfocus.com

> The FastCGI Process Manager (FPM) SAPI of PHP was vulnerable to memory
> leak and buffer overflow in the access logging feature.

> the PHP engine performed an out-of-boundaries read and also wrote a \n
> character outside of the allocated memory.

> http://git.php.net/?p=php-src.git;a=commit;h=2721a0148649e07ed74468f097a28899741eb58f
> http://www.search-lab.hu/about-us/news/111-some-unusual-vulnerabilities-in-the-php-engine

>> as it has some strict prerequisites, the severity is low.

>> This was just an expanded version of the default access.format
>> template, we added the REMOTE_ADDR and REQUEST_URI fields

As explained in the www.search-lab.hu post (in the section between "We
found the answer by reviewing the source code" and "And here we are"),
there was really only one underlying problem: the code misinterpreted
the semantics of the snprintf return value. Use CVE-2016-5114. The
other outcomes were consequences of this. The "memory leak" is the
same as the "out-of-boundaries read": extra bytes from process memory
were being written to a log file that might be readable by untrusted
users. The "buffer overflow" is the same as the "wrote a \n character
outside of the allocated memory."

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXSmAHAAoJEHb/MwWLVhi2KkwQAJYehVlnt9SusqqgXhyhdZgt
TwqfEcyDihIZRtNw1MVqSTyR3B5Tf8S0SiSeINC2uRvaWSia/NlSEjWuMshmDkIn
vXsPj60bPpjtvU9DXK7NZ2L35zOqwaVLf/n/XnNf2dkHIVCE2uNfm2GvNyGjGSGn
8W38RS9xu1BJeF1PKtgkd3CdYKbfy2J/NZs59E02yhJ5gtQoR64n86zj2qdv5lhd
/pTvd3QzdCztOU+/wKRA/vOlm0UJKc4vMyP92ffYPuQkPaqaA2AovzCGJuJ+vKoL
XHSKvwigkLK1VECfTHpxmt0JXOHe4UMdDjSFPXryixjWxT0D3OnYU1lJKCn7XjKx
UBGOm+p3CvEZ5+3pxDqI5oULJokn6ZiLBLuWP2rhDITcyEsRbr745UQCJ0kZjuSu
tHheUYJWRHo4XOHQkeV2eiVrZTjTo/1txTUZCoenV57WK8EnOiKuoFaBbq0xddtq
UfQMWB6wYFf7n7O4LuMPxcE4UgC6dO04CuY12yHduarvxcPb/r7n9H8ACyexb93k
OvmhaX2fDJNEjQ2ZGIBvOhKXJAYCe/kHjCeFH256xAfQhe2eW14SLo53Akt6dgvg
0jzyABI/KSbJnpWqwB3Bf1K9vfmSmBCEWYJVlY0HCtE5caqe+IJSE5RygSlR22Ha
7YksgydiRGiXmapN76dc
=ONL0
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.