Date: Wed, 16 Mar 2016 19:03:44 -0400 (EDT) From: cve-assign@...re.org To: jmm@...ian.org Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: Three CVE requests for PHP -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > ZipArchive::extractTo allows for directory traversal when creating directories > https://bugs.php.net/bug.php?id=70350 > https://github.com/facebook/hhvm/commit/65c95a01541dd2fbc9c978ac53bed235b5376686 Use CVE-2014-9767 for this issue that was apparently disclosed in https://bugs.php.net/bug.php?id=67996 in 2014. The issue could be relevant in cases where, for example: - a parent directory is on a filesystem that can't support many inodes, and the attacker can cause a DoS by creating thousands of empty directories there - a parent directory is served by the web server and allows a full directory listing, and the attacker can therefore post spam in the form of directory names > https://bugs.php.net/bug.php?id=70385 > https://bugs.php.net/bug.php?id=70312 These were mentioned here 6 months ago in the http://www.openwall.com/lists/oss-security/2015/09/08/8 and earlier posts. We don't see any issue with re-opening the discussion at this point, but could you please provide new information or a counterargument? For example, in 70385, is the security concern that someone may deploy a web application that accepts arbitrary untrusted TIFF files and is intended to print EXIF values, but would realistically instead print the contents of other memory locations associated with a different client's session? In 70312, the "[2015-08-21 02:00 UTC]" comment says 'I'm sorry but I cannot change the bug type. It is not "Security".' Was it supposed to have been categorized as a security bug, or is the discussion from 6 months ago applicable: This might be primarily an interoperability bug. 70312 doesn't attempt to show that the hashes produced by PHP's HAVAL implementation had weaker security properties than those produced by a correct implementation. (One might also argue that applications requiring especially good hash properties should not be using HAVAL at all.) ? - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJW6eWGAAoJEL54rhJi8gl52vwQAJKFdLmLfg4LSaa+Z07OnbH+ nUuELFK3Y2d4q/cxj5Uy/uQSDh1ufVmOhLEu0aajVfIqSiVxyzxQ3BjRKTIvprtf Nennjbzwm9agJVyP2szFphJzvlrJrhKHkXU3jT1616tHl7ZFWcuthz4Fk3z0873k 2cJ6c6ek3sRK+Vv5WoNw1iFjkPu7qAQloX+x2ZxvT01zeElp2zrz7JJ4y1AGv6nb 54Wl334PCwuf0F/vV5G/GO3XQJdB5daQVMQ8OyRQVkn5KnqCDI8ceD0aG+Q1JZed seV2eo2lwhYzddd3cV03/R1zKUFXisUZEdjjnas5EXHdl/rdcN+clmYTNqjL6UaM Mo6PTOdN/egwAJC481zOdNjKWu2h8KT3XCXP1SLw6y0FC1IOeELnJqcFjEej1lDx nGWcw3AuHmf7+Iq4vw/16EB2ETTtM3GYEq2nFgxAImPSjtdLR6UznWV5ZHCwtWC/ RaGDY4ZGK2iKRMdCshOCeh0wp9f5D9pnZA89PygH+yThzjD5v9Y51EuBHVN3FUcP ZpIRFLVJJ5Vx+PibCXygHpD9DHN3PHEbdEMGP6hDeokLON9CrN8Uu6XzwbLDrQxM sTrn1AgElznVv5o4N3HwxcmDQwANG71EQeKwaV01gSEX/v2X9evV4I4AMfGv0d7k CAqu4MIzM9VyDkcLYcF/ =mvYU -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.