Date: Tue, 16 Jun 2015 13:24:56 -0400 (EDT) From: cve-assign@...re.org To: thoger@...hat.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, kaplanlior@...il.com, security@....net Subject: Re: CVE Request: various issues in PHP -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >> > >> https://bugs.php.net/bug.php?id=69418, >> > >> https://bugs.php.net/bug.php?id=68598 - various functions allow >> > >> \0 in paths where they shouldn't. In theory, that could lead to >> > >> security failure for path-based access controls if the user >> > >> injects string with \0 in it. It's a bit theoretical, but it's a >> > >> possibility. >> >> CVE-2015-4025, CVE-2015-4026 respectively. > Both of these CVEs are addressed in a single commit, that also covers > few other functions not mentioned in either of the two bug reports > (dir()/opendir() and chroot()). Which CVE do those additional fixes > fall under? They are not 5.4 regressions, so probably not > CVE-2015-4025, but maybe not under CVE-2015-4026 either given that bug > 68598 only mentions pcntl_exec(). In this type of situation, CVEs are assigned on a per-discoverer basis. CVE-2015-4025 is for thoger@...hat.com discoveries, whereas CVE-2015-4026 is for yohgaki@....net. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4025 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4026 > dir()/opendir() and chroot() Four weeks ago, we asked security@....net to contact us if those other changed functions were associated with vulnerability fixes. They have not contacted us about this. Are you reporting that some or all of them had vulnerabilities? For example, is it reasonable to expect that a PHP application may want the client to make a choice of a chroot directory, and the intended behavior is to restrict the choice to a name ending in ".d" but this can be bypassed by something like a "/usr/local/var/x/does-not-end-in-dot-d\0.d" value? > https://bugs.php.net/bug.php?id=69353 > http://git.php.net/?p=php-src.git;a=commitdiff;h=52b93f0cfd3cba7ff98cc5198df6ca4f23865f80 > > More CVE-2015-4025 / CVE-2015-4026 / CVE-2006-7243 like issues. More > notes on what got changed is in RHBZ: > https://bugzilla.redhat.com/show_bug.cgi?id=1213407#c5 The neal@...com vulnerability discoveries in bug 69353 were assigned CVE-2015-3411 in April. The additional vulnerability discoveries in: http://git.php.net/?p=php-src.git;a=commit;h=52b93f0cfd3cba7ff98cc5198df6ca4f23865f80 http://git.php.net/?p=php-src.git;a=commit;h=4435b9142ff9813845d5c97ab29a5d637bedb257 were assigned CVE-2015-3412. Use CVE-2015-4598 for the https://bugs.php.net/bug.php?id=69719 thoger@...hat.com vulnerability discoveries. > More unserialize issues. > https://bugs.php.net/bug.php?id=69152 > http://git.php.net/?p=php-src.git;a=commitdiff;h=51856a76f87ecb24fe1385342be43610fb6c86e4 Use CVE-2015-4599 for the taoguangchen@...oud.com discovery fixed in 51856a76f87ecb24fe1385342be43610fb6c86e4. > http://git.php.net/?p=php-src.git;a=commitdiff;h=0c136a2abd49298b66acb0cad504f0f972f5bfe8 Use CVE-2015-4600 for the taoguangchen@...oud.com discoveries in bug 69152 that were fixed in 0c136a2abd49298b66acb0cad504f0f972f5bfe8 - SoapClient::__getLastRequest, SoapClient::__getLastResponse, SoapClient::__getLastRequestHeaders, SoapClient::__getLastResponseHeaders, SoapClient::__getCookies, and SoapClient::__setCookie. Use CVE-2015-4601 for the other vulnerabilities fixed in 0c136a2abd49298b66acb0cad504f0f972f5bfe8, with the exception that the issue involving the uri property in do_soap_call is already covered by CVE-2015-4148. > http://git.php.net/?p=php-src.git;a=commitdiff;h=fb83c76deec58f1fab17c350f04c9f042e5977d1 Use CVE-2015-4602 for this issue mentioned at [2015-03-20 14:58 UTC] in bug 69152. > https://bugs.php.net/bug.php?id=69152 [2015-03-03 04:30 UTC] Use CVE-2015-4603 for the exception::getTraceAsString issue. As mentioned at [2015-03-25 09:57 UTC], the affected versions for this issue are different from those of other issues discussed in bug 69152. > https://bugs.php.net/bug.php?id=68819 > http://git.php.net/?p=php-src.git;a=commitdiff;h=f938112c495b0d26572435c0be73ac0bfe642ecd > > Fileinfo DoS. Use CVE-2015-4604 for the violation of the "mget() guarantees buf <= last" constraint suggested in the [2015-02-05 13:53 UTC] comment. Use CVE-2015-4605 for the issue in which offset can exceed bytecnt, suggested in the [2015-02-09 17:10 UTC] comment. These might be conceptually overlapping discoveries, but we decided to have the two CVE IDs. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJVgFr7AAoJEKllVAevmvmsFpoIAKk541flrgppkYnl6DhxQ49O YKc29nQQrmGL9yZLMkGbOX2onVwCOhD4cUKVrPGNadiMhCL3uzBl3aIf6eVrWdBA 8Dqv7/1w14dAfinrRsGl+5pA+SnNhrMLhoCGecAHBVUjPJckP69PtM4h2/AqAXxv hxpRMZi9+demSpUUitA5Gik0f4uw8BllarCciZH/FgwCkIflqDGQ7nN80MnBwWl7 XLrIqdM81hksELsCYtWpN6LESwIwmRZWCLHeqilQiRdU2DSU1BRAYkVyef06Xyu5 WZdx1RJBNb63rwfqdEERR9Bkuu4tX4WJa9yC0YykdI6eUJZU1CLBu/i4xqhhlWE= =CFDR -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.