[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security]  Re: Re: CVE Request -- PHP 5 - 5.2.11
From:       Raphael Geissert <geissert () debian ! org>
Date:       2009-10-27 6:27:59
Message-ID: hc63s3$t68$1 () ger ! gmane ! org
[Download RAW message or body]

Tomas Hoger wrote:

> On Thu, 15 Oct 2009 18:47:15 -0500 Raphael Geissert wrote:
> 
>> > Name: CVE-2009-3291
>> > 
>> > The php_openssl_apply_verification_policy function in PHP before
>> > 5.2.11 does not properly perform certificate validation, which has
>> > unknown impact and attack vectors, probably related to an ability to
>> > spoof certificates.
>> 
>> Yes, seems to be related to an improper handling of \0 in the CN
>> field.
> 
> Agree.  This change, however, seems to have a minimal impact on today's
> real world PHP applications.  Certificate verification is not enabled by
> default and there seem to be very few applications that actually enable
> it.  I have some notes in:
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3291

I see, thanks, I had not noticed that. 

> 
>> > Name: CVE-2009-3292
>> >
>> > Unspecified vulnerability in PHP before 5.2.11 has unknown impact
>> > and attack vectors related to "missing sanity checks around exif
>> > processing."
>> 
>> It is related to missing sanity checks when determining the length of
>> sections of jpg headers and a missing limit on the nesting level of
>> TIFF files.
> 
> There are 3 changes in the upstream path:
> - missing header length check, with similar impact as CVE-2009-2687 in
>   the worst case
> - missing nesting level checks for TIFFs, crafted file can lead to deep
>   recursion exhausting stack memory resulting in rather harmless crash
> - missing EOF checks, possibly leading to NULL deref or PHP memory
>   limit exception
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3292
> 

You are right, I forgot about the missing EOF checks.

It would be great if the descriptions of the CVEs were updated to make them
reflect the known information about the issues.

Regards,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net


[prev in list] [next in list] [prev in thread] [next in thread]