[Secure-testing-team] PHP bugs: fixed or not?
Moritz Muehlenhoff
jmm at inutil.org
Mon Apr 30 23:49:38 UTC 2007
sean finney wrote:
> hey guys,
>
> to quote a little godfather...
> "Just when I thought that I was out they pull me back in"
You don't have a chance. Stefan Esser is the Luca Brasi of PHP Security.
> On Mon, 2007-04-30 at 23:44 +0200, Stefan Fritsch wrote:
> > On Montag, 30. April 2007, Francesco Poli wrote:
> > > The following ones are claimed to be fixed for sid in php5 version
> > > 5.2.0-11 by DSA 1283-1, but are still considered unfixed in sid by
> > > the tracker:
> > >
> > > CVE-2007-1375 CVE-2007-1376 CVE-2007-1380 CVE-2007-1453
> > > CVE-2007-1454 CVE-2007-1521 CVE-2007-1583 CVE-2007-1711
> > > CVE-2007-1718 CVE-2007-1824 CVE-2007-1887 CVE-2007-1889
> > > CVE-2007-1900
> > >
> >
> > CVE-2007-1711 does not seem to be fixed (but is unimportant). The rest
> > are fixed. There is a typo in the changelog though:
> > CVE-2007-1453-MOPB-18 should be ...-1454-...
>
> i *think* CVE-2007-1711 is already fixed in the version of the patch we
> have for CVE-2007-0910. are you basing your finding on looking at the
> patch/changelog, or have you confirmed it's actually vulnerable? my
> test poc doesn't seem to work anyway.
Are we talking about php5? CVE-2007-1711 is php4 only.
> > > The following ones are claimed to be fixed for sid in php4 version
> > > 4.4.6-1 by DSA 1282-1, but are still considered unfixed in sid by
> > > the tracker:
> > >
> > > CVE-2007-1286 CVE-2007-1380 CVE-2007-1521 CVE-2007-1711
> > > CVE-2007-1718 CVE-2007-1777
> >
> > I could only find information that CVE-2007-1286, CVE-2007-1380, and
> > CVE-2007-1777 are fixed. I don't think the rest are fixed.
> >
> > @Sean: do you have more information? Thanks.
>
> it looks like CVE-2007-1521 CVE-2007-1711 and CVE-2007-1718 were all
> fixes > 4.4.6, grumble. i've applied the patches for each of them, and
> i guess i'll be making another upload...
No need to flog a dead horse. Better spend the time filing RC bugs for
php4 removal blocks. Just today someone uploaded php-imagick with
updated php4 support...
Cheers,
Moritz
More information about the Secure-testing-team
mailing list