oss-sec mailing list archives
Re: CVE request: PHP MOPS-2010-56..60
From: Pierre Joye <pierre.php () gmail com>
Date: Fri, 20 Aug 2010 13:24:57 +0200
On Fri, Aug 20, 2010 at 1:00 PM, Tomas Hoger <thoger () redhat com> wrote:
On Fri, 20 Aug 2010 12:38:31 +0200 Pierre Joye wrote:MOPS-2010-056 - MOPS-2010-060 as subject indicates. Those are mysqlnd issues and session serializer issue allowing data injection. Not any from that set of interruption issues that exposed one or two problems in different ways.As far as I can tell and see, both the mysqlnd and session issues have been fixed.Raphael posted commit links earlier in this thread.Phar: http://svn.php.net/viewvc?view=revision&revision=298667I'm aware of that commit. It does not change php_stream_wrapper_log_error invocation from phar_stream_flush, as mentioned in MOPS-2010-024: http://svn.php.net/viewvc/php/php-src/trunk/ext/phar/stream.c?view=markup&pathrev=298667#l471 Hence the question if there is some less obvious change that make that particular cases non-issue too.
I miss that part, thanks for pointing me to it. I will commit a fix later today. However same issue that the other phar flaws in this MOPS.
As far as I remember, the resources related issues are not fixed (-22 and -03), it is also not new and related to the same bug. I also don't think that it will get fixed any time soon as it is not possible to fix easily. I think there is already a CVE about this problem.Are you aware of any good bugs.php.net reference that covers the issue in greater detail?
There is no bug report about MOPS, sadly. There was a couple of discussions on security@ but nothing interesting or new (Joe may have them as he is part of this list too). All we had are the blog posts from Stefen. Cheers, -- Pierre @pierrejoye | http://blog.thepimp.net | http://www.libgd.org
Current thread:
- Re: CVE request: PHP MOPS-2010-56..60 Tomas Hoger (Aug 19)
- Re: CVE request: PHP MOPS-2010-56..60 Moritz Muehlenhoff (Aug 19)
- Re: CVE request: PHP MOPS-2010-56..60 Steven M. Christey (Aug 20)
- Re: CVE request: PHP MOPS-2010-56..60 Pierre Joye (Aug 23)
- Re: CVE request: PHP MOPS-2010-56..60 Moritz Muehlenhoff (Aug 23)
- Re: CVE request: PHP MOPS-2010-56..60 Pierre Joye (Aug 23)
- Re: CVE request: PHP MOPS-2010-56..60 Pierre Joye (Aug 23)
- <Possible follow-ups>
- Re: CVE request: PHP MOPS-2010-56..60 pierre.php () gmail com (Aug 19)
- Re: CVE request: PHP MOPS-2010-56..60 Tomas Hoger (Aug 20)
- Re: CVE request: PHP MOPS-2010-56..60 Pierre Joye (Aug 20)
- Re: CVE request: PHP MOPS-2010-56..60 Tomas Hoger (Aug 20)
- Re: CVE request: PHP MOPS-2010-56..60 Pierre Joye (Aug 20)
- Re: CVE request: PHP MOPS-2010-56..60 Pierre Joye (Aug 20)
- Re: CVE request: PHP MOPS-2010-56..60 Thomas Biege (Aug 24)
- Re: CVE request: PHP MOPS-2010-56..60 Pierre Joye (Aug 24)
- Re: CVE request: PHP MOPS-2010-56..60 Tomas Hoger (Aug 24)
- Re: CVE request: PHP MOPS-2010-56..60 Steven M. Christey (Aug 24)
- Re: CVE request: PHP MOPS-2010-56..60 Josh Bressers (Aug 25)
- Re: CVE request: PHP MOPS-2010-56..60 Tomas Hoger (Aug 20)