Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu,  5 Feb 2015 08:33:33 -0500 (EST)
From: cve-assign@...re.org
To: jsegitz@...e.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request: NULL ptr deref in php

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> couldn't find a CVE for https://bugs.php.net/bug.php?id=68545

Does a crash triggered by an unserialize argument cross privilege
boundaries in typical cases?

http://php.net/manual/function.unserialize.php says

   Do not pass untrusted user input to unserialize(). Unserialization
   can result in code being loaded and executed due to object
   instantiation and autoloading, and a malicious user may be able to
   exploit this.

In the past, there have been CVEs for remote code execution that rely
on an untrusted unserialize argument, e.g., CVE-2014-3669 and
CVE-2014-8142. These may be important for attacks against some types
of restricted environments.

CVE inclusion for unserialize crashes could potentially be handled
differently.

For example, is it common for a PHP application to accept some
untrusted unserialize arguments but not arbitrary untrusted
unserialize arguments, with a decision process that would accept the
https://bugs.php.net/bug.php?id=68545 example argument, because static
analysis could prove that that argument is safe with respect to code
execution?

If not, then (at least for crash situations) perhaps it would be
better to focus on CVE assignments at the application level for
applications that are inconsistent with the "Do not pass untrusted
user input to unserialize()" documentation.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJU03B7AAoJEKllVAevmvmsXS0IAI0qvlgEjcBxzvIy9y89SNB2
G+0V024xf+QrFWTryWVhs04AaffkxLdqZP2VUiAjgzasyQ6XHRwGmTvfR6kwbTZj
X8R5xiCCSoKvT1LVtQKedeeuxQ0n4/V/maOXnp1l0QRby90I2KhKf9uCw22kLDHr
Iws34tm5GMgI+jMMEnUsHoDFW4iDYiTOmOCkzdJ6CytjR1TxWXWhAm4IZnuLpmEE
d3aNjWJbbIQfaVCStgnLnUOWs7qeWRLC2L6g0jp/llQ5iMIu3T3WZH2HyBLSZeDO
UWJ7KzM42g0hrBHuXen9TD6IPrpwO41zNwxEoUT9Lcav+fnZFUHasMYd326V288=
=Z9Jt
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.