Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 1 Nov 2016 10:58:28 +0200
From: Lior Kaplan <kaplanlior@...il.com>
To: cve-assign@...re.org
Cc: oss-security@...ts.openwall.com
Subject: Re: CVE assignment for PHP 5.6.27 and 7.0.12

On Tue, Oct 18, 2016 at 7:34 PM, <cve-assign@...re.org> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> > Please assign a CVE for the following issue:
> >
> > Bug #73147    Use After Free in unserialize()
> > https://bugs.php.net/bug.php?id=73147
> > http://git.php.net/?p=php-src.git;a=commit;h=
> 0e6fe3a4c96be2d3e88389a5776f878021b4c59f
>
> Can you clarify what should be the scope of this CVE?
> zend_unset_property doesn't exist at all in PHP 7.0.11. The
> 0e6fe3a4c96be2d3e88389a5776f878021b4c59f commit adds
> zend_unset_property for PHP 7.0.12, and arranges for
> zend_unset_property to be called only from
> "ZEND_METHOD(CURLFile, __wakeup)" in ext/curl/curl_file.c.
>
> We're not sure whether that affects anything outside of the CURLFile
> implementation. However, 73147 discusses other concerns such as "The
> similar bug can be also triggered via Exception::__toString with
> DateInterval::__wakeup" and "The problem is that every __wakeup that
> modifies any property would produce the same problem."
>
> There seems to be a related code change between 7.0.11 and 7.0.12 that
> arranges for additional calls to zend_unset_property:
>
>   http://git.php.net/?p=php-src.git;a=blobdiff;f=Zend/zend_exceptions.c;h=
> f21968733581a3cb672d039bec16ce6f17a93db9;hp=95d18f45fbea8808c00975b5df4619
> d5d6745ab0;hb=689a9b8def07875641b3132a82c701fb7acb676c;hpb=
> 4165d976066129000d947ffa3be73f91e9867635
>
> So, some of the options include:
>
> 1. 0e6fe3a4c96be2d3e88389a5776f878021b4c59f is a complete security
> patch that fixes everything discussed in 73147, including the "other
> concerns" mentioned above.
>
> 2. 0e6fe3a4c96be2d3e88389a5776f878021b4c59f fixes only the CURLFile
> implementation. The "other concerns" mentioned above are
> vulnerabilities that still exist in 7.0.12.
>
> 3. The combination of 0e6fe3a4c96be2d3e88389a5776f878021b4c59f and the
> above Zend/zend_exceptions.c diff is a complete security patch that
> fixes everything discussed in 73147, including the "other concerns"
> mentioned above. There only needs to be one CVE ID associated with
> this complete security patch.
>
> 4. The combination of 0e6fe3a4c96be2d3e88389a5776f878021b4c59f and the
> above Zend/zend_exceptions.c diff is a complete security patch that
> fixes everything discussed in 73147, including the "other concerns"
> mentioned above. There should be one CVE ID for the security fix to
> the CURLFile implementation, and a separate CVE ID for the security
> fix found in Zend/zend_exceptions.c.
>
> Which of the above (1 through 4) is correct and/or preferred?
>

I've asked Stas (who fixed the issue) and #2 is the current situation.

Kaplan

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ