Date: Mon, 7 Sep 2015 14:51:24 +0200 From: Marcus Meissner <meissner@...e.de> To: OSS Security List <oss-security@...ts.openwall.com>, security@....net, cve-assign@...re.org Subject: CVE Request: PHP remote exploits (even more) Hi, the last patch of PHP remote exploits have no CVEs assigned yet, but here are even more. Please assign CVEs. http://php.net/ChangeLog-5.php#5.4.45 https://bugs.php.net/bug.php?id=70172 Use After Free Vulnerability in unserialize() Given attacker input to unserialize() we should consider this a security issue. https://bugs.php.net/bug.php?id=70219 Use after free vulnerability in session deserializer Same. https://bugs.php.net/bug.php?id=70388 SOAP serialize_function_call() type confusion / RCE Definitely, even the summary has enough indication for me. https://bugs.php.net/bug.php?id=70365 yet another use-after-free vulnerability in unserialize() with SplObjectStorage I would also say this can be attacker driven, so needs a CVE. https://bugs.php.net/bug.php?id=70366 yet another use-after-free vulnerability in unserialize() with SplDoublyLinkedL Same. https://bugs.php.net/bug.php?id=69782 NULL pointer dereference Denial of service, these queries might be fed from remote. Perhaps CVEs also for: https://bugs.php.net/bug.php?id=70385 Buffer over-read in exif_read_data with TIFF IFD tag byte value of 32 bytes Questionable. It seems no crash was observed, so no denial of service. At most a information leak. https://bugs.php.net/bug.php?id=70312 HAVAL gives wrong hashes in specific cases Questionable. I am not sure this is attacker driveable or if an attacker could do anything with this. https://bugs.php.net/bug.php?id=70345 Various PCRE issues caused by the regexp string. There has been a tendency to either declare this CVE worthy or declare that its not attacker driven usually. Ciao, Marcus
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ