Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 22 Mar 2016 17:05:54 -0500
From: Tyler Hicks <tyhicks@...onical.com>
To: oss-security@...ts.openwall.com
Cc: meissner@...e.de, cve-assign@...re.org, security@....net
Subject: Re: Re: CVE Request: PHP last release security issues

On 2016-03-16 16:42:30, cve-assign@...re.org wrote:
> > https://bugs.php.net/bug.php?id=71610
> 
> >> Type Confusion Vulnerability - SOAP / make_http_soap_request()
> 
> >> Due to an insufficient validation of the cookies field when making SOAP http request
> 
> >> https://github.com/php/php-src/blob/master/ext/soap/php_http.c
> 
> >> There is lack of validation of 2nd/3rd elements in cookies array.
> >>
> >> and a type confusion occurs when they are no longer string.
> 
> >> [2016-02-22 07:48 UTC] stas@....net
> >> Fix added to security repo as eaf4e77190d402ea014207e9a7d5da1a4f3727ba
> 
> > https://git.php.net/?p=php-src.git;a=commit;h=eaf4e77190d402ea014207e9a7d5da1a4f3727ba
> 
> >> + Z_TYPE_P(tmp) != IS_STRING ||
> 
> >> + Z_TYPE_P(tmp) != IS_STRING ||
> 
> Use CVE-2016-3185.

I see a similar bug and fix in the PHP 5.x branch:

  https://bugs.php.net/bug.php?id=70081
  https://git.php.net/?p=php-src.git;a=commitdiff;h=c96d08b27226193dd51f2b50e84272235c6aaa69

Note that the bug was filed in 2015. It was fixed in 5.6.12:

  https://secure.php.net/ChangeLog-5.php#5.6.12

Does CVE-2016-3185 cover the issue in 5.x, as well?

Tyler 

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ