[php-maint] status of multiple vulnerabilities in php4/sarge: update
seanius at debian.org
Tue Aug 15 15:58:44 UTC 2006
hey security peeps,
i've been spending a bit of time on the list of known/open php
vulnerabilities in sarge. i have a work-in-progress NMU prepared,
along with some PoC code for the easy to verify vulns here:
below is a list of the open CVE's according to the security-testing
CVE tracker, and their status wrt the above NMU. some could use
a second set of eyes, others could use general opinions:
CVE-2005-3353: patched and verified with PoC
CVE-2006-1990: patched and verified with PoC
CVE-2005-3388: patched and verified with PoC
CVE-2006-0996: patched and verified with PoC
CVE-2002-1954: could not reproduce, but the patch for CVE-2005-3388
would fix it if it were a vulnerability
CVE-2005-3883: patched but not verified (taken from other vendor)
CVE-2005-3389: patched but not verified (taken from other vendor)
CVE-2006-1490: patched but not verified (taken from other vendor)
CVE-2006-0208: patched but not verified (taken from other vendor)
CVE-2005-1759: a fix for this was already present in 4.3.10-16
and finally, the ones needing further review/discussion:
CVE-2005-3319: (htaccess session.save_path DoS) can't reproduce.
CVE-2006-0931: (directory traversal with submitted tar archives in pear)
there's some question as to whether this is a actually
a problem with pear. i'd argue that the responsibility
is on the application using pear::tar to ensure a valid
contents in the archive, just like any other input
CVE-2006-1014: (see below)
CVE-2006-1015: (attack vectors on sendmail via cmdline argument injection)
again, i would argue this is a case of application
responsibility to sanitize input. the CVE author hints
at this as well with a note in the mitre.org entry.
CVE-2006-1549: (infinitely recursive functions can cause crash/segfault)
my thought on this is "well, duh".
phew. okay afaik that's it; feedback would be appreciated.
ps - i am cc'ing the current php maintainers so they are in the loop and
can provide feedback as well.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20060815/0404de91/attachment.pgp
More information about the pkg-php-maint