Date: Thu, 5 Feb 2015 08:33:33 -0500 (EST) From: cve-assign@...re.org To: jsegitz@...e.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE request: NULL ptr deref in php -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > couldn't find a CVE for https://bugs.php.net/bug.php?id=68545 Does a crash triggered by an unserialize argument cross privilege boundaries in typical cases? http://php.net/manual/function.unserialize.php says Do not pass untrusted user input to unserialize(). Unserialization can result in code being loaded and executed due to object instantiation and autoloading, and a malicious user may be able to exploit this. In the past, there have been CVEs for remote code execution that rely on an untrusted unserialize argument, e.g., CVE-2014-3669 and CVE-2014-8142. These may be important for attacks against some types of restricted environments. CVE inclusion for unserialize crashes could potentially be handled differently. For example, is it common for a PHP application to accept some untrusted unserialize arguments but not arbitrary untrusted unserialize arguments, with a decision process that would accept the https://bugs.php.net/bug.php?id=68545 example argument, because static analysis could prove that that argument is safe with respect to code execution? If not, then (at least for crash situations) perhaps it would be better to focus on CVE assignments at the application level for applications that are inconsistent with the "Do not pass untrusted user input to unserialize()" documentation. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJU03B7AAoJEKllVAevmvmsXS0IAI0qvlgEjcBxzvIy9y89SNB2 G+0V024xf+QrFWTryWVhs04AaffkxLdqZP2VUiAjgzasyQ6XHRwGmTvfR6kwbTZj X8R5xiCCSoKvT1LVtQKedeeuxQ0n4/V/maOXnp1l0QRby90I2KhKf9uCw22kLDHr Iws34tm5GMgI+jMMEnUsHoDFW4iDYiTOmOCkzdJ6CytjR1TxWXWhAm4IZnuLpmEE d3aNjWJbbIQfaVCStgnLnUOWs7qeWRLC2L6g0jp/llQ5iMIu3T3WZH2HyBLSZeDO UWJ7KzM42g0hrBHuXen9TD6IPrpwO41zNwxEoUT9Lcav+fnZFUHasMYd326V288= =Z9Jt -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ