Re: Re: CVE Request -- PHP 5 - 5.2.11

[Raphael Geissert <geissert () debian org>]

Tomas Hoger wrote:

> On Thu, 15 Oct 2009 18:47:15 -0500 Raphael Geissert wrote:
>
> > > Name: CVE-2009-3291
> > >
> > > The php_openssl_apply_verification_policy function in PHP before
> > > 5.2.11 does not properly perform certificate validation, which has
> > > unknown impact and attack vectors, probably related to an ability to
> > > spoof certificates.
> >
> > Yes, seems to be related to an improper handling of \0 in the CN
> > field.
>
> Agree.  This change, however, seems to have a minimal impact on today's
> real world PHP applications.  Certificate verification is not enabled by
> default and there seem to be very few applications that actually enable
> it.  I have some notes in:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3291

I see, thanks, I had not noticed that. 

> > > Name: CVE-2009-3292
> > >
> > > Unspecified vulnerability in PHP before 5.2.11 has unknown impact
> > > and attack vectors related to "missing sanity checks around exif
> > > processing."
> >
> > It is related to missing sanity checks when determining the length of
> > sections of jpg headers and a missing limit on the nesting level of
> > TIFF files.
>
> There are 3 changes in the upstream path:
> - missing header length check, with similar impact as CVE-2009-2687 in
>   the worst case
> - missing nesting level checks for TIFFs, crafted file can lead to deep
>   recursion exhausting stack memory resulting in rather harmless crash
> - missing EOF checks, possibly leading to NULL deref or PHP memory
>   limit exception
>
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3292

You are right, I forgot about the missing EOF checks.

It would be great if the descriptions of the CVEs were updated to make them
reflect the known information about the issues.

Regards,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net