Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 18 Oct 2016 12:34:36 -0400 (EDT)
From: cve-assign@...re.org
To: kaplanlior@...il.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE assignment for PHP 5.6.27 and 7.0.12

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> Please assign a CVE for the following issue:
> 
> Bug #73147    Use After Free in unserialize()
> https://bugs.php.net/bug.php?id=73147
> http://git.php.net/?p=php-src.git;a=commit;h=0e6fe3a4c96be2d3e88389a5776f878021b4c59f

Can you clarify what should be the scope of this CVE?
zend_unset_property doesn't exist at all in PHP 7.0.11. The
0e6fe3a4c96be2d3e88389a5776f878021b4c59f commit adds
zend_unset_property for PHP 7.0.12, and arranges for
zend_unset_property to be called only from
"ZEND_METHOD(CURLFile, __wakeup)" in ext/curl/curl_file.c.

We're not sure whether that affects anything outside of the CURLFile
implementation. However, 73147 discusses other concerns such as "The
similar bug can be also triggered via Exception::__toString with
DateInterval::__wakeup" and "The problem is that every __wakeup that
modifies any property would produce the same problem."

There seems to be a related code change between 7.0.11 and 7.0.12 that
arranges for additional calls to zend_unset_property:

  http://git.php.net/?p=php-src.git;a=blobdiff;f=Zend/zend_exceptions.c;h=f21968733581a3cb672d039bec16ce6f17a93db9;hp=95d18f45fbea8808c00975b5df4619d5d6745ab0;hb=689a9b8def07875641b3132a82c701fb7acb676c;hpb=4165d976066129000d947ffa3be73f91e9867635

So, some of the options include:

1. 0e6fe3a4c96be2d3e88389a5776f878021b4c59f is a complete security
patch that fixes everything discussed in 73147, including the "other
concerns" mentioned above.

2. 0e6fe3a4c96be2d3e88389a5776f878021b4c59f fixes only the CURLFile
implementation. The "other concerns" mentioned above are
vulnerabilities that still exist in 7.0.12.

3. The combination of 0e6fe3a4c96be2d3e88389a5776f878021b4c59f and the
above Zend/zend_exceptions.c diff is a complete security patch that
fixes everything discussed in 73147, including the "other concerns"
mentioned above. There only needs to be one CVE ID associated with
this complete security patch.

4. The combination of 0e6fe3a4c96be2d3e88389a5776f878021b4c59f and the
above Zend/zend_exceptions.c diff is a complete security patch that
fixes everything discussed in 73147, including the "other concerns"
mentioned above. There should be one CVE ID for the security fix to
the CURLFile implementation, and a separate CVE ID for the security
fix found in Zend/zend_exceptions.c.

Which of the above (1 through 4) is correct and/or preferred?

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYBk6wAAoJEHb/MwWLVhi2Yo8QAKuttCiRlpUzKx0qxM5tOGyb
NkmqUkuN00zgavqyeBrPPM0WnzaF0VKdGS/0rW6ExBog6gbhgl1hUSIzug4PcnlX
Nk2acUlS21JmMFXroeKFQh5IvEvsvjEWwmpogopyoNv7c+Asal+F8BFP1DiVKR3a
g3Iv/tqjpIqh87qVESZSce/u6u44v4wd6V4ouTFe9mYiUQSPMkssTjRMjMwulVlp
A17ddOUZ06qubRpu3S6eBzDLtLkOuEMpFKxxYssEl+zoa0ac1Aq9HqkNoo632wSR
mHeB9yZ5tpQ+cbOwPZ30GoQW2JkrtRcj2UpdnTAl9JoFgpGa8xVl7DR9bQCe2XMB
OFfRx9+x1TTJZGQ+EppmmNA/kpskHSZE1AeoeZj4lD7gvQjHUJcmjtkrSik9Dt86
dinb2KiiNeedyTH3TfBcmbIKU9ub6ztsf3Rl1ODcsOb//5ru0vTihLPGw6icoBcG
jYN61oXHyNRLfwQRdXoSEciLpDkiPVYf50B83XXOQGUMA68oNV+Ns/lSInxh33zU
FKR1ePK/cBjr6D+/sV32tre1IPvHATh/uB1ECP8H4NvRixFqtvy64a0xCsd5WJB7
sOq9wAH5Q6ebiShuncSS35F+47ILMdiIu7hT8F6gVQvGccnPMS6DgldGeb0RS56I
5haHYZHlQuvZEF8ZtfhR
=o6SF
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.