Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 6 Sep 2012 20:56:24 -0500
From: Raphael Geissert <geissert@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Re: Re: php header() header injection detection bypass

On Wednesday 05 September 2012 12:05:43 cve-assign@...re.org wrote:
[...]
> In the actual situation, the
> https://bugs.php.net/patch-display.php?bug_id=60227&patch=SAPI.diff&revis
> ion=1320563128 patch had a logic flaw related to the "((p = memchr(s,
> '\n', (e - s))) || (p = memchr(s, '\r', (e - s))))" expression. MITRE
> prefers to categorize this type of situation as an "incorrect fix" not an
> "incomplete fix." Admittedly, for many CVE users it doesn't matter.

You are indeed right, it is is better to categorize it as an incorrect fix.

> Note 2: We probably haven't found the exact affected 5.4.0RC versions,
> but this doesn't matter much because those versions aren't widely
> used. Specifically, we don't know whether there's a supported download
> location for every pre-release version that ever existed, but we
> happened to find the http://php.marvel.strk.jp/archive/ directory.
> Here, 5.4.0alpha3 (August 2011) does not check for '\r' at all,
> whereas 5.4.0RC2 (December 2011) can check for '\r' but has the
> above-mentioned logic flaw. This is consistent with the 2011-11-06 SVN
> date listed in bug 60227.

Since RCs and alphas are published in user dirs, and not in the main release 
system, I don't think they are actively archived.

However, taking a look at the 5.4.0RC1 tag in git, it seems the issue was 
indeed introduced in RC2:
https://github.com/php/php-src/blob/php-5.4.0RC1/main/SAPI.c#L715
And to confirm it in RC2:
https://github.com/php/php-src/blob/php-5.4.0RC2/main/SAPI.c#L715

Regards,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.