Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 16 Mar 2016 19:03:44 -0400 (EDT)
From: cve-assign@...re.org
To: jmm@...ian.org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: Three CVE requests for PHP

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> ZipArchive::extractTo allows for directory traversal when creating directories
> https://bugs.php.net/bug.php?id=70350
> https://github.com/facebook/hhvm/commit/65c95a01541dd2fbc9c978ac53bed235b5376686

Use CVE-2014-9767 for this issue that was apparently disclosed in
https://bugs.php.net/bug.php?id=67996 in 2014. The issue could be
relevant in cases where, for example:

  - a parent directory is on a filesystem that can't support many
    inodes, and the attacker can cause a DoS by creating thousands of
    empty directories there

  - a parent directory is served by the web server and allows a full
    directory listing, and the attacker can therefore post spam in the
    form of directory names


> https://bugs.php.net/bug.php?id=70385
> https://bugs.php.net/bug.php?id=70312

These were mentioned here 6 months ago in the
http://www.openwall.com/lists/oss-security/2015/09/08/8 and earlier
posts. We don't see any issue with re-opening the discussion at this
point, but could you please provide new information or a
counterargument?

For example, in 70385, is the security concern that someone may deploy
a web application that accepts arbitrary untrusted TIFF files and is
intended to print EXIF values, but would realistically instead print
the contents of other memory locations associated with a different
client's session?

In 70312, the "[2015-08-21 02:00 UTC]" comment says 'I'm sorry but I
cannot change the bug type. It is not "Security".' Was it supposed to
have been categorized as a security bug, or is the discussion from 6
months ago applicable:

  This might be primarily an interoperability bug. 70312 doesn't attempt
  to show that the hashes produced by PHP's HAVAL implementation had
  weaker security properties than those produced by a correct
  implementation. (One might also argue that applications requiring
  especially good hash properties should not be using HAVAL at all.)

?

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJW6eWGAAoJEL54rhJi8gl52vwQAJKFdLmLfg4LSaa+Z07OnbH+
nUuELFK3Y2d4q/cxj5Uy/uQSDh1ufVmOhLEu0aajVfIqSiVxyzxQ3BjRKTIvprtf
Nennjbzwm9agJVyP2szFphJzvlrJrhKHkXU3jT1616tHl7ZFWcuthz4Fk3z0873k
2cJ6c6ek3sRK+Vv5WoNw1iFjkPu7qAQloX+x2ZxvT01zeElp2zrz7JJ4y1AGv6nb
54Wl334PCwuf0F/vV5G/GO3XQJdB5daQVMQ8OyRQVkn5KnqCDI8ceD0aG+Q1JZed
seV2eo2lwhYzddd3cV03/R1zKUFXisUZEdjjnas5EXHdl/rdcN+clmYTNqjL6UaM
Mo6PTOdN/egwAJC481zOdNjKWu2h8KT3XCXP1SLw6y0FC1IOeELnJqcFjEej1lDx
nGWcw3AuHmf7+Iq4vw/16EB2ETTtM3GYEq2nFgxAImPSjtdLR6UznWV5ZHCwtWC/
RaGDY4ZGK2iKRMdCshOCeh0wp9f5D9pnZA89PygH+yThzjD5v9Y51EuBHVN3FUcP
ZpIRFLVJJ5Vx+PibCXygHpD9DHN3PHEbdEMGP6hDeokLON9CrN8Uu6XzwbLDrQxM
sTrn1AgElznVv5o4N3HwxcmDQwANG71EQeKwaV01gSEX/v2X9evV4I4AMfGv0d7k
CAqu4MIzM9VyDkcLYcF/
=mvYU
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.