Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu,  5 Feb 2015 08:33:33 -0500 (EST)
From: cve-assign@...re.org
To: jsegitz@...e.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request: NULL ptr deref in php

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> couldn't find a CVE for https://bugs.php.net/bug.php?id=68545

Does a crash triggered by an unserialize argument cross privilege
boundaries in typical cases?

http://php.net/manual/function.unserialize.php says

   Do not pass untrusted user input to unserialize(). Unserialization
   can result in code being loaded and executed due to object
   instantiation and autoloading, and a malicious user may be able to
   exploit this.

In the past, there have been CVEs for remote code execution that rely
on an untrusted unserialize argument, e.g., CVE-2014-3669 and
CVE-2014-8142. These may be important for attacks against some types
of restricted environments.

CVE inclusion for unserialize crashes could potentially be handled
differently.

For example, is it common for a PHP application to accept some
untrusted unserialize arguments but not arbitrary untrusted
unserialize arguments, with a decision process that would accept the
https://bugs.php.net/bug.php?id=68545 example argument, because static
analysis could prove that that argument is safe with respect to code
execution?

If not, then (at least for crash situations) perhaps it would be
better to focus on CVE assignments at the application level for
applications that are inconsistent with the "Do not pass untrusted
user input to unserialize()" documentation.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJU03B7AAoJEKllVAevmvmsXS0IAI0qvlgEjcBxzvIy9y89SNB2
G+0V024xf+QrFWTryWVhs04AaffkxLdqZP2VUiAjgzasyQ6XHRwGmTvfR6kwbTZj
X8R5xiCCSoKvT1LVtQKedeeuxQ0n4/V/maOXnp1l0QRby90I2KhKf9uCw22kLDHr
Iws34tm5GMgI+jMMEnUsHoDFW4iDYiTOmOCkzdJ6CytjR1TxWXWhAm4IZnuLpmEE
d3aNjWJbbIQfaVCStgnLnUOWs7qeWRLC2L6g0jp/llQ5iMIu3T3WZH2HyBLSZeDO
UWJ7KzM42g0hrBHuXen9TD6IPrpwO41zNwxEoUT9Lcav+fnZFUHasMYd326V288=
=Z9Jt
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ