Re: Re: CVE Request -- PHP 5 - 5.2.11

[Tomas Hoger <thoger () redhat com>]

On Thu, 15 Oct 2009 18:47:15 -0500 Raphael Geissert
<geissert () debian org> wrote:

> > Name: CVE-2009-3291
> >
> > The php_openssl_apply_verification_policy function in PHP before
> > 5.2.11 does not properly perform certificate validation, which has
> > unknown impact and attack vectors, probably related to an ability to
> > spoof certificates.
>
> Yes, seems to be related to an improper handling of \0 in the CN
> field.

Agree.  This change, however, seems to have a minimal impact on today's 
real world PHP applications.  Certificate verification is not enabled by
default and there seem to be very few applications that actually enable
it.  I have some notes in:

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3291

> > Name: CVE-2009-3292
> >
> > Unspecified vulnerability in PHP before 5.2.11 has unknown impact
> > and attack vectors related to "missing sanity checks around exif
> > processing."
>
> It is related to missing sanity checks when determining the length of
> sections of jpg headers and a missing limit on the nesting level of
> TIFF files.

There are 3 changes in the upstream path:
- missing header length check, with similar impact as CVE-2009-2687 in
  the worst case
- missing nesting level checks for TIFFs, crafted file can lead to deep
  recursion exhausting stack memory resulting in rather harmless crash
- missing EOF checks, possibly leading to NULL deref or PHP memory
  limit exception

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3292

-- 
Tomas Hoger / Red Hat Security Response Team