[php-maint] update on latest batch of CVE's for php

sean finney seanius at debian.org
Sun Feb 18 23:02:51 UTC 2007


hey folks,

just fyi, i put a nice big chunk of time into analyzing the latest batch
of CVE's (2007-0905 - 0911), but there is still significant work to be
done before we're ready for an update.  here's a quick summary, followed
by a CVE-by-CVE status.

 * executive summary

most of the vulnerabilities have been found and the patches isolated,
after some aggressive pruning of the 200k lines of diff code and digging
through upstream cvs commit logs. some of the patches are incomplete,
and some have additional non-related changes that need to be filtered
out.

also, i've similarly reduced the 40k lines of diff code from 4.4.5 to
around 1.5k lines of relevant patches.  however, i want to make sure
that we get php5 fixed up first, as it's not unimaginable that somethign
was left out of the 4.4.5 release.

all of my work-in-progress patches and any other pertinent data
can be found at

	http://people.debian.org/~seanius/security/php

in this directory there are a number of patches named in a rather
self-descriptive manner.  there's also a group of CHECKME patches, which
i thought may belong to one of the CVE patches listed here (see below),
or otherwise caught my attention for some reason (the fopen one looks
really suspicious, for example)

 * CVE-2007-0905 (safe_mode/open_basedir bypass in session extension)

for starters i'm going on the assumption that this one won't be a high
priority for us, as the prevailing attitude for safe_mode/open_basedir
is that it's broken by design and thus we don't want to reinforce the
illusion of security... or at least spend our time on it.

however, it looks like the fixes for this might be mixed up with another
CVE (2007-0906 part 1), so we might end up fixing it incidentally as
part of this other fix, which i don't think we should go out of our way
to avoid.

 * CVE-2007-0906 (Multiple buffer overflows in various extensions)

you really have to love the level of information provided.  "multiple
buffer overflows... ...cause a denial of service and execute
arbitrary code via unspecified vectors..."

anyway, i've isolated the meat of the each of the changes (see links
at bottom of mail).  for some of them i have the exact lines of code
that fix the problem, for others i have the lines of code mixed up
with other possibly unrelated changes in the same file, which still
needs to be sorted out.

 * CVE-2007-0907 (Buffer underflow in sapi_header_op)

found and isolated.

 * CVE-2007-0908 (information disclosure via wddx extension)

debian does not ship the wddx extension, so no fix needed.

 * CVE-2007-0909 (fmt string vulnerabilities in print and odbc funcs)

i've found the odbc function fix, but i'm not sure about exactly what
are the format string fixes.  i've found two or three patches, at least
one of which are responsible for fixing it (some of the
CHECKME-*-maybecve.diff patches at the above link), but need more time
and possibly a little help to determine the fix.

 * CVE-2007-0910 (clobbering of certain super-global variables)

i believe i've found this, though a confirmation from upstream would
be nice.

 * CVE-2007-0911 (segfaults from str_irepalce due to off-by-one)

we're not currently affected by this as it is a regression introduced in
5.2.1, but we shoudl remember to have a patch for it when we get around
to releasing 5.2.1.

 * Next steps

there's a little more cleanup that needs to be done in some of the
patches, and some level of verification from the upstream authors would
be very useful.  PoC code would probably be too much to ask for...
after we feel comfortable about the fixes, we can compare the
accumulated patches to the cleaned up diff i've extracted from php4
(there's a 4.4.4_4.4.5-somethingsomething.diff in the above link)

reading through the upstream mail archive (as well as the CVE
descriptions themselves) upstream seems rather tight-lipped about
details, so i'm a bit pessimistic that we'll actually get any kind of
positive feedback from them.  i'd love to be proved wrong though so i'll
give it a shot.  might also be worth contacting stefan esser as i think
he knows the details of most of these CVE's.


	sean
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: This is a digitally signed message part
Url : http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20070219/e9586685/attachment-0001.pgp


More information about the pkg-php-maint mailing list