[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] Re: Re: CVE Request -- PHP 5 - 5.2.11
From: Raphael Geissert <geissert () debian ! org>
Date: 2009-10-27 6:27:59
Message-ID: hc63s3$t68$1 () ger ! gmane ! org
[Download RAW message or body]
Tomas Hoger wrote:
> On Thu, 15 Oct 2009 18:47:15 -0500 Raphael Geissert wrote:
>
>> > Name: CVE-2009-3291
>> >
>> > The php_openssl_apply_verification_policy function in PHP before
>> > 5.2.11 does not properly perform certificate validation, which has
>> > unknown impact and attack vectors, probably related to an ability to
>> > spoof certificates.
>>
>> Yes, seems to be related to an improper handling of \0 in the CN
>> field.
>
> Agree. This change, however, seems to have a minimal impact on today's
> real world PHP applications. Certificate verification is not enabled by
> default and there seem to be very few applications that actually enable
> it. I have some notes in:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3291
I see, thanks, I had not noticed that.
>
>> > Name: CVE-2009-3292
>> >
>> > Unspecified vulnerability in PHP before 5.2.11 has unknown impact
>> > and attack vectors related to "missing sanity checks around exif
>> > processing."
>>
>> It is related to missing sanity checks when determining the length of
>> sections of jpg headers and a missing limit on the nesting level of
>> TIFF files.
>
> There are 3 changes in the upstream path:
> - missing header length check, with similar impact as CVE-2009-2687 in
> the worst case
> - missing nesting level checks for TIFFs, crafted file can lead to deep
> recursion exhausting stack memory resulting in rather harmless crash
> - missing EOF checks, possibly leading to NULL deref or PHP memory
> limit exception
>
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3292
>
You are right, I forgot about the missing EOF checks.
It would be great if the descriptions of the CVEs were updated to make them
reflect the known information about the issues.
Regards,
--
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic