Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 1 Nov 2016 10:58:28 +0200
From: Lior Kaplan <kaplanlior@...il.com>
To: cve-assign@...re.org
Cc: oss-security@...ts.openwall.com
Subject: Re: CVE assignment for PHP 5.6.27 and 7.0.12

On Tue, Oct 18, 2016 at 7:34 PM, <cve-assign@...re.org> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> > Please assign a CVE for the following issue:
> >
> > Bug #73147    Use After Free in unserialize()
> > https://bugs.php.net/bug.php?id=73147
> > http://git.php.net/?p=php-src.git;a=commit;h=
> 0e6fe3a4c96be2d3e88389a5776f878021b4c59f
>
> Can you clarify what should be the scope of this CVE?
> zend_unset_property doesn't exist at all in PHP 7.0.11. The
> 0e6fe3a4c96be2d3e88389a5776f878021b4c59f commit adds
> zend_unset_property for PHP 7.0.12, and arranges for
> zend_unset_property to be called only from
> "ZEND_METHOD(CURLFile, __wakeup)" in ext/curl/curl_file.c.
>
> We're not sure whether that affects anything outside of the CURLFile
> implementation. However, 73147 discusses other concerns such as "The
> similar bug can be also triggered via Exception::__toString with
> DateInterval::__wakeup" and "The problem is that every __wakeup that
> modifies any property would produce the same problem."
>
> There seems to be a related code change between 7.0.11 and 7.0.12 that
> arranges for additional calls to zend_unset_property:
>
>   http://git.php.net/?p=php-src.git;a=blobdiff;f=Zend/zend_exceptions.c;h=
> f21968733581a3cb672d039bec16ce6f17a93db9;hp=95d18f45fbea8808c00975b5df4619
> d5d6745ab0;hb=689a9b8def07875641b3132a82c701fb7acb676c;hpb=
> 4165d976066129000d947ffa3be73f91e9867635
>
> So, some of the options include:
>
> 1. 0e6fe3a4c96be2d3e88389a5776f878021b4c59f is a complete security
> patch that fixes everything discussed in 73147, including the "other
> concerns" mentioned above.
>
> 2. 0e6fe3a4c96be2d3e88389a5776f878021b4c59f fixes only the CURLFile
> implementation. The "other concerns" mentioned above are
> vulnerabilities that still exist in 7.0.12.
>
> 3. The combination of 0e6fe3a4c96be2d3e88389a5776f878021b4c59f and the
> above Zend/zend_exceptions.c diff is a complete security patch that
> fixes everything discussed in 73147, including the "other concerns"
> mentioned above. There only needs to be one CVE ID associated with
> this complete security patch.
>
> 4. The combination of 0e6fe3a4c96be2d3e88389a5776f878021b4c59f and the
> above Zend/zend_exceptions.c diff is a complete security patch that
> fixes everything discussed in 73147, including the "other concerns"
> mentioned above. There should be one CVE ID for the security fix to
> the CURLFile implementation, and a separate CVE ID for the security
> fix found in Zend/zend_exceptions.c.
>
> Which of the above (1 through 4) is correct and/or preferred?
>

I've asked Stas (who fixed the issue) and #2 is the current situation.

Kaplan

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.