Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 09 Jan 2015 04:02:41 +1100
From: Joshua Rogers <oss@...ernot.info>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request: PHP

On 08/01/15 22:11, Joshua Rogers wrote:

> CVE Request 2:
>
> Uninitalized Pointer Read in PHP core('fopen()')
> Bug report: https://bugs.php.net/bug.php?id=68692&edit=2
> Commit fix:
> http://git.php.net/?p=php-src.git;a=commit;h=7ebdc8d70d7617f2c3353b027663ef54a24a2248
Not a valid security risk. In all cases of the 'vulnerable' function
being used, a specific case is not true, which means that it cannot be
exploited.
>>                 if (!(stream = php_stream_open_wrapper(p + 10, mode,
>> options, opened_path))) {
>>                         efree(pathdup);
>>                         return NULL;
>>                 }
'stream' must be false when php_stream_apply_filter_list is called,
which for all cases in the PHP code, cannot be.

> CVE Request 3:
> Uninitalized Pointer Read in PHP core
> Bug report: https://bugs.php.net/bug.php?id=68694&edit=2
> Commit fix:
> http://git.php.net/?p=php-src.git;a=commit;h=f3ea1b0b6a42a08093bf9191ad76fb4b5e0a653b
This is invalid too.
It requires, like the request #2, for 'stream' to be NULL.

>         for (key = php_strtok_r(tmp, ",", &lasts);
In this case, 'tmp' must be NULL for it to crash/be exploited.
But tmp is defined:
>         tmp = estrndup(new_value->val, new_value->len);
estrndup uses "emalloc", which like the other one from a few days ago
that I revoked, doesn't return NULL, but just crashes the program with
out-of-memory exit.


Thanks,
-- 
-- Joshua Rogers <https://internot.info/>


Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ