Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 22 Sep 2009 01:49:40 -0400 (EDT)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: oss-security@...ts.openwall.com
cc: "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE Request -- PHP 5 - 5.2.11


On Sun, 20 Sep 2009, yersinia wrote:

> > > This would appear to be:
> > >
> > > http://svn.php.net/viewvc?view=revision&revision=287779
> > >
> > > which is Windows-specific.
> >
> > I was more wondering why this is a security issue rather
> > than a bug.
>
> http://securityvulns.com/Vdocument145.html

Vdocument145.html appears to be about a buffer overflow in the second
argument to popen.

PHP bug 44683, which is part of the 5.2.11 PHP announcement, focuses on an
"e" or "er" value in the second argument.  It also suggests the core
problem is in the Microsoft C function _fdopen.

The Vdocument145.html issue may well be the same - maybe _fdopen doesn't
handle *any* invalid mode string, and the exploit has "A" as the first
character, which is invalid.  The actual behavior of _fdopen is not
immediately clear to me.  Maybe there's really a buffer overflow going on.

Vdocument145.html also doesn't seem to mention anything about Windows, so
maybe this applies to other OSes.

The scope of PHP bug #44683 may be very limited, but since the vendor is
trying to communicate that it's a security problem to its customers, it's
still reasonable to assign a CVE to it (momentarily).

- Steve

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.