[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Potential security issues fixed in PHP 5.3.9
From:       Kurt Seifried <kseifried () redhat ! com>
Date:       2012-01-20 23:49:38
Message-ID: 4F19FD92.4090803 () redhat ! com
[Download RAW message or body]

On 01/20/2012 05:22 AM, Pierre Joye wrote:
> hi!
> 
> On Fri, Jan 20, 2012 at 6:00 AM, Kurt Seifried <kseifried@redhat.com> wrote:
> > Hi, in addition to the xslt arbitrary file creation) there are some more potential security \
> > vulnerabilities that appear to have been fixed in 5.3.9. Can you confirm if these are not \
> > security issues? Also will you need CVE assignments for the ones that are (I can help with \
> > that). 
> > Sending to security@php.net again and cc'ing oss-sec in case anyone on the list has \
> > ideas/comments. 
> > From the ChangeLog:
> > 
> > ===========================================================
> > Fixed bug #60150 (Integer overflow during the parsing of invalid exif
> > header). (Stas, flolechaud at gmail dot com) - security bug
> > There is an integer overflow in ext/exif/exif.c that can be used in order to
> > cause a denial of service or read arbitrary memory.
> Which one?
My bad, I read the NEWS and then the ChangeLog and promptly forgot that
CVE-2011-4566 had been assigned. I emailed with Pierre Joye, here is a
summary:

> > ==========
> > Fixed bug #55776 (PDORow to session bug). (Johannes)
> > Is a Apache crash. It gives a CGI/FastCGI Send/Don't Send window.
> > http://img171.imageshack.us/img171/3953/57126366.jpg [Open URL]
> > After few minutes is crashing apache server:
> > http://img840.imageshack.us/img840/2981/21231006.jpg [Open URL]
Please use CVE-2012-0788 for this issue.

> > ==========
> > Fixed bug #60279 (Fixed NULL pointer dereference in
> > stream_socket_enable_crypto, case when ssl_handle of session_stream is
> > not initia\
> > lized.) (shm) - (needs bad code)
> > 
> > ==========
> > Fixed bug #55622 (memory corruption in parse_ini_string). (Pierre) -
> > need access to ini style config, but can cause memory corruption\
> > (code exec?)
These need to be researched a bit more (do they have a security impact?).
> > ==========
> > Fixed bug #53502 (strtotime with timezone memory leak). (Derick) - minor
> > dos?
> I don't think we can or should consider memory leaks as DoS :)
> 
Unfortunately memory leaks (where memory is used, then released but not
released properly) can result in denial of service attacks.

Please use CVE-2012-0789 for this issue.

-- 

-- Kurt Seifried / Red Hat Security Response Team


[prev in list] [next in list] [prev in thread] [next in thread]