Date: Tue, 8 Sep 2015 13:44:17 -0400 (EDT) From: cve-assign@...re.org To: meissner@...e.de Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE Request: more php unserializing issues -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 The CVE IDs in this message apply to PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12. > These look like they can be exploited for code execution. There is related discussion in the http://www.openwall.com/lists/oss-security/2015/02/05/5 post. The essential question is whether there should be a new CVE ID for every report where exploitation depends on the attacker's ability to control the argument to unserialize. We think these reports are important to relatively few people, i.e., either because their applications don't allow arbitrary input to unserialize, or because their applications do allow arbitrary input to unserialize and there's already a much simpler attack approach available. In other words, in practice, no privilege boundary is crossed. However, it's conceivable for an application to have constraints on how unserialize is used, such that many attacks are blocked, but these remote-code-execution attacks involving use-after-free bugs aren't blocked. For example, see some of the discussion linked from the https://wiki.php.net/rfc/secure_unserialize page. > https://bugs.php.net/bug.php?id=70166 > https://bugs.php.net/bug.php?id=70155 (dup) > Use After Free Vulnerability in unserialize() with SPLArrayObject > > https://bugs.php.net/bug.php?id=70168 > Use After Free Vulnerability in unserialize() with SplObjectStorage > > https://bugs.php.net/bug.php?id=70169 > Use After Free Vulnerability in unserialize() with SplDoublyLinkedList In the current case, we feel it is best to combine a number of taoguangchen@...oud.com discoveries into one CVE. Use CVE-2015-6831 for 70155/70166/70168/70169. > https://bugs.php.net/bug.php?id=70068 > Dangling pointer in the unserialization of ArrayObject items > impact: remote code execution Use CVE-2015-6832 for this sean.heelan@...il.com discovery. > https://bugs.php.net/bug.php?id=70019 > Files extracted from archive may be placed outside of destination directory Use CVE-2015-6833. This seems to be a marginal case in which the issue can be interpreted as a security enhancement because the vendor (2015-07-08 14:30) states that the behavior was intended. However, for most people, "Extract the contents of a phar archive to a directory" (see the http://php.net/manual/en/phar.extractto.php page) probably doesn't suggest that an arbitrary set of directories can be chosen by the author of the archive. Also, we already have CVE-2008-5658. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJV7xyyAAoJEL54rhJi8gl5JmQQAK6PYuPa3hQJQLwPzyvjhmIa 5mpVQFRiLm+A/uY7uYOtGTUgqfCS5W0nJGkqlzf9djt4wLeY5vYC+4ihfHyKZLfN 2TY0jTEYNP2aLKPm5yBDZftI725R63MmC89MTzuAsylom4Zz192gqlQQtFIP/xQj xt00diyJpagCX86wLi/DaIdmdDaRwK6UIbjcMmfcwLGxTq9UUJsNlm9qVqrXOJFc WwhtqNsnh8WUZgAvA8GlyGaXgiHzfszNE+n+mz0KKxYNyDUKaVQkfpaekM904WjG f0yQNBvJk33t6AjAxzmBIamltUpipRg1joKS/afQV/cot8wzEtCMloE6XJgTXZm0 MIKbzC1iYe7HqXR5KFHPDSU2x3y4J1sRGu0Wx6tFZ++2Icgz0eqm9emgxvuUzPqD r9YnKSQy7cvPA3gXUwwp++3PNvTbuJLJGZt6fKBkM2uFcd/Mh6+RoEc62QuhvJ6/ 75ixk8s7yfTzDt7IHxBfqQ9hEtq455vligCt8m55n4GXJ/uAN5Pqs6tdnFvp1bwa rAky6ucUoma/cb1Z25vCh4b9zLS+w5A1+BrZ1uaAI4U2BlUPOhepZg8YDhGLiv6o JMRxReO6Slfa2qdT1x4aGL2T4lnacCumMbPlrsED/qLOdIgBv9IjX0lUXKGu30yT TRCdGfALD7wzyv/cUAoQ =hXh2 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ