Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue,  8 Sep 2015 13:44:17 -0400 (EDT)
From: cve-assign@...re.org
To: meissner@...e.de
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Request: more php unserializing issues

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

The CVE IDs in this message apply to PHP before 5.4.44, 5.5.x before
5.5.28, and 5.6.x before 5.6.12.

> These look like they can be exploited for code execution.

There is related discussion in the
http://www.openwall.com/lists/oss-security/2015/02/05/5 post. The
essential question is whether there should be a new CVE ID for every
report where exploitation depends on the attacker's ability to control
the argument to unserialize. We think these reports are important to
relatively few people, i.e., either because their applications don't
allow arbitrary input to unserialize, or because their applications do
allow arbitrary input to unserialize and there's already a much
simpler attack approach available. In other words, in practice, no
privilege boundary is crossed. However, it's conceivable for an
application to have constraints on how unserialize is used, such that
many attacks are blocked, but these remote-code-execution attacks
involving use-after-free bugs aren't blocked. For example, see some of
the discussion linked from the
https://wiki.php.net/rfc/secure_unserialize page.


> https://bugs.php.net/bug.php?id=70166
> https://bugs.php.net/bug.php?id=70155 (dup)
> Use After Free Vulnerability in unserialize() with SPLArrayObject
> 
> https://bugs.php.net/bug.php?id=70168
> Use After Free Vulnerability in unserialize() with SplObjectStorage
> 
> https://bugs.php.net/bug.php?id=70169
> Use After Free Vulnerability in unserialize() with SplDoublyLinkedList

In the current case, we feel it is best to combine a number of
taoguangchen@...oud.com discoveries into one CVE. Use CVE-2015-6831
for 70155/70166/70168/70169.


> https://bugs.php.net/bug.php?id=70068
> Dangling pointer in the unserialization of ArrayObject items
>         impact: remote code execution

Use CVE-2015-6832 for this sean.heelan@...il.com discovery.


> https://bugs.php.net/bug.php?id=70019
> Files extracted from archive may be placed outside of destination directory

Use CVE-2015-6833. This seems to be a marginal case in which the issue
can be interpreted as a security enhancement because the vendor
(2015-07-08 14:30) states that the behavior was intended. However, for
most people, "Extract the contents of a phar archive to a directory"
(see the http://php.net/manual/en/phar.extractto.php page) probably
doesn't suggest that an arbitrary set of directories can be chosen by
the author of the archive. Also, we already have CVE-2008-5658.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJV7xyyAAoJEL54rhJi8gl5JmQQAK6PYuPa3hQJQLwPzyvjhmIa
5mpVQFRiLm+A/uY7uYOtGTUgqfCS5W0nJGkqlzf9djt4wLeY5vYC+4ihfHyKZLfN
2TY0jTEYNP2aLKPm5yBDZftI725R63MmC89MTzuAsylom4Zz192gqlQQtFIP/xQj
xt00diyJpagCX86wLi/DaIdmdDaRwK6UIbjcMmfcwLGxTq9UUJsNlm9qVqrXOJFc
WwhtqNsnh8WUZgAvA8GlyGaXgiHzfszNE+n+mz0KKxYNyDUKaVQkfpaekM904WjG
f0yQNBvJk33t6AjAxzmBIamltUpipRg1joKS/afQV/cot8wzEtCMloE6XJgTXZm0
MIKbzC1iYe7HqXR5KFHPDSU2x3y4J1sRGu0Wx6tFZ++2Icgz0eqm9emgxvuUzPqD
r9YnKSQy7cvPA3gXUwwp++3PNvTbuJLJGZt6fKBkM2uFcd/Mh6+RoEc62QuhvJ6/
75ixk8s7yfTzDt7IHxBfqQ9hEtq455vligCt8m55n4GXJ/uAN5Pqs6tdnFvp1bwa
rAky6ucUoma/cb1Z25vCh4b9zLS+w5A1+BrZ1uaAI4U2BlUPOhepZg8YDhGLiv6o
JMRxReO6Slfa2qdT1x4aGL2T4lnacCumMbPlrsED/qLOdIgBv9IjX0lUXKGu30yT
TRCdGfALD7wzyv/cUAoQ
=hXh2
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.