Date: Fri, 20 Aug 2010 13:00:28 +0200 From: Tomas Hoger <thoger@...hat.com> To: oss-security@...ts.openwall.com Cc: pierre.php@...il.com, Moritz Muehlenhoff <jmm@...ian.org>, "Steven M. Christey" <coley@...us.mitre.org> Subject: Re: CVE request: PHP MOPS-2010-56..60 On Fri, 20 Aug 2010 12:38:31 +0200 Pierre Joye wrote: > > MOPS-2010-056 - MOPS-2010-060 as subject indicates. Those are > > mysqlnd issues and session serializer issue allowing data > > injection. Not any from that set of interruption issues that > > exposed one or two problems in different ways. > > As far as I can tell and see, both the mysqlnd and session issues have > been fixed. Raphael posted commit links earlier in this thread. > Phar: http://svn.php.net/viewvc?view=revision&revision=298667 I'm aware of that commit. It does not change php_stream_wrapper_log_error invocation from phar_stream_flush, as mentioned in MOPS-2010-024: http://svn.php.net/viewvc/php/php-src/trunk/ext/phar/stream.c?view=markup&pathrev=298667#l471 Hence the question if there is some less obvious change that make that particular cases non-issue too. > As far as I remember, the resources related issues are not fixed (-22 > and -03), it is also not new and related to the same bug. I also don't > think that it will get fixed any time soon as it is not possible to > fix easily. I think there is already a CVE about this problem. Are you aware of any good bugs.php.net reference that covers the issue in greater detail? Thank you! -- Tomas Hoger / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ