Date: Sat, 28 May 2016 23:22:55 -0400 (EDT) From: cve-assign@...re.org To: oss-security@...ts.openwall.com Cc: cve-assign@...re.org Subject: Re: Fwd: PHP-FPM fpm_log.c memory leak and buffer overflow -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > Date: Tue, 2 Feb 2016 17:10:22 +0100 > To: <oss-security@...ts.openwall.com> > Date: Mon, 25 Jan 2016 16:50:38 +0100 > To: bugtraq@...urityfocus.com > The FastCGI Process Manager (FPM) SAPI of PHP was vulnerable to memory > leak and buffer overflow in the access logging feature. > the PHP engine performed an out-of-boundaries read and also wrote a \n > character outside of the allocated memory. > http://git.php.net/?p=php-src.git;a=commit;h=2721a0148649e07ed74468f097a28899741eb58f > http://www.search-lab.hu/about-us/news/111-some-unusual-vulnerabilities-in-the-php-engine >> as it has some strict prerequisites, the severity is low. >> This was just an expanded version of the default access.format >> template, we added the REMOTE_ADDR and REQUEST_URI fields As explained in the www.search-lab.hu post (in the section between "We found the answer by reviewing the source code" and "And here we are"), there was really only one underlying problem: the code misinterpreted the semantics of the snprintf return value. Use CVE-2016-5114. The other outcomes were consequences of this. The "memory leak" is the same as the "out-of-boundaries read": extra bytes from process memory were being written to a log file that might be readable by untrusted users. The "buffer overflow" is the same as the "wrote a \n character outside of the allocated memory." - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJXSmAHAAoJEHb/MwWLVhi2KkwQAJYehVlnt9SusqqgXhyhdZgt TwqfEcyDihIZRtNw1MVqSTyR3B5Tf8S0SiSeINC2uRvaWSia/NlSEjWuMshmDkIn vXsPj60bPpjtvU9DXK7NZ2L35zOqwaVLf/n/XnNf2dkHIVCE2uNfm2GvNyGjGSGn 8W38RS9xu1BJeF1PKtgkd3CdYKbfy2J/NZs59E02yhJ5gtQoR64n86zj2qdv5lhd /pTvd3QzdCztOU+/wKRA/vOlm0UJKc4vMyP92ffYPuQkPaqaA2AovzCGJuJ+vKoL XHSKvwigkLK1VECfTHpxmt0JXOHe4UMdDjSFPXryixjWxT0D3OnYU1lJKCn7XjKx UBGOm+p3CvEZ5+3pxDqI5oULJokn6ZiLBLuWP2rhDITcyEsRbr745UQCJ0kZjuSu tHheUYJWRHo4XOHQkeV2eiVrZTjTo/1txTUZCoenV57WK8EnOiKuoFaBbq0xddtq UfQMWB6wYFf7n7O4LuMPxcE4UgC6dO04CuY12yHduarvxcPb/r7n9H8ACyexb93k OvmhaX2fDJNEjQ2ZGIBvOhKXJAYCe/kHjCeFH256xAfQhe2eW14SLo53Akt6dgvg 0jzyABI/KSbJnpWqwB3Bf1K9vfmSmBCEWYJVlY0HCtE5caqe+IJSE5RygSlR22Ha 7YksgydiRGiXmapN76dc =ONL0 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.