Date: Tue, 1 Nov 2016 10:58:28 +0200 From: Lior Kaplan <kaplanlior@...il.com> To: cve-assign@...re.org Cc: oss-security@...ts.openwall.com Subject: Re: CVE assignment for PHP 5.6.27 and 7.0.12 On Tue, Oct 18, 2016 at 7:34 PM, <cve-assign@...re.org> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > > Please assign a CVE for the following issue: > > > > Bug #73147 Use After Free in unserialize() > > https://bugs.php.net/bug.php?id=73147 > > http://git.php.net/?p=php-src.git;a=commit;h= > 0e6fe3a4c96be2d3e88389a5776f878021b4c59f > > Can you clarify what should be the scope of this CVE? > zend_unset_property doesn't exist at all in PHP 7.0.11. The > 0e6fe3a4c96be2d3e88389a5776f878021b4c59f commit adds > zend_unset_property for PHP 7.0.12, and arranges for > zend_unset_property to be called only from > "ZEND_METHOD(CURLFile, __wakeup)" in ext/curl/curl_file.c. > > We're not sure whether that affects anything outside of the CURLFile > implementation. However, 73147 discusses other concerns such as "The > similar bug can be also triggered via Exception::__toString with > DateInterval::__wakeup" and "The problem is that every __wakeup that > modifies any property would produce the same problem." > > There seems to be a related code change between 7.0.11 and 7.0.12 that > arranges for additional calls to zend_unset_property: > > http://git.php.net/?p=php-src.git;a=blobdiff;f=Zend/zend_exceptions.c;h= > f21968733581a3cb672d039bec16ce6f17a93db9;hp=95d18f45fbea8808c00975b5df4619 > d5d6745ab0;hb=689a9b8def07875641b3132a82c701fb7acb676c;hpb= > 4165d976066129000d947ffa3be73f91e9867635 > > So, some of the options include: > > 1. 0e6fe3a4c96be2d3e88389a5776f878021b4c59f is a complete security > patch that fixes everything discussed in 73147, including the "other > concerns" mentioned above. > > 2. 0e6fe3a4c96be2d3e88389a5776f878021b4c59f fixes only the CURLFile > implementation. The "other concerns" mentioned above are > vulnerabilities that still exist in 7.0.12. > > 3. The combination of 0e6fe3a4c96be2d3e88389a5776f878021b4c59f and the > above Zend/zend_exceptions.c diff is a complete security patch that > fixes everything discussed in 73147, including the "other concerns" > mentioned above. There only needs to be one CVE ID associated with > this complete security patch. > > 4. The combination of 0e6fe3a4c96be2d3e88389a5776f878021b4c59f and the > above Zend/zend_exceptions.c diff is a complete security patch that > fixes everything discussed in 73147, including the "other concerns" > mentioned above. There should be one CVE ID for the security fix to > the CURLFile implementation, and a separate CVE ID for the security > fix found in Zend/zend_exceptions.c. > > Which of the above (1 through 4) is correct and/or preferred? > I've asked Stas (who fixed the issue) and #2 is the current situation. Kaplan
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ