Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 6 Sep 2012 20:56:24 -0500
From: Raphael Geissert <>
Subject: Re: Re: php header() header injection detection bypass

On Wednesday 05 September 2012 12:05:43 wrote:
> In the actual situation, the
> ion=1320563128 patch had a logic flaw related to the "((p = memchr(s,
> '\n', (e - s))) || (p = memchr(s, '\r', (e - s))))" expression. MITRE
> prefers to categorize this type of situation as an "incorrect fix" not an
> "incomplete fix." Admittedly, for many CVE users it doesn't matter.

You are indeed right, it is is better to categorize it as an incorrect fix.

> Note 2: We probably haven't found the exact affected 5.4.0RC versions,
> but this doesn't matter much because those versions aren't widely
> used. Specifically, we don't know whether there's a supported download
> location for every pre-release version that ever existed, but we
> happened to find the directory.
> Here, 5.4.0alpha3 (August 2011) does not check for '\r' at all,
> whereas 5.4.0RC2 (December 2011) can check for '\r' but has the
> above-mentioned logic flaw. This is consistent with the 2011-11-06 SVN
> date listed in bug 60227.

Since RCs and alphas are published in user dirs, and not in the main release 
system, I don't think they are actively archived.

However, taking a look at the 5.4.0RC1 tag in git, it seems the issue was 
indeed introduced in RC2:
And to confirm it in RC2:

Raphael Geissert - Debian Developer -

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.