Re: utf-8 security issue in php - 2 CVEs?

[Pierre Joye <pierre.php () gmail com>]

hi,

New fixes or improved fixes, even for known flaw, get new CVE #. I was
not sure about that a couple of months ago, but that's the answer I
got when I asked about the policy for such cases. I think it makes
even more sense in this particular flaw.

Cheers,

On Tue, Nov 16, 2010 at 7:30 AM, Huzaifa Sidhpurwala
<huzaifas () redhat com> wrote:
> Hi,
> This is regarding the "utf-8 security issue in php", which was discussed
> on this list[1]
> From the php bug[2], it is clear that this issue has been assigned
> CVE-2010-3870
>
> However yesterday another CVE was assigned to this bug i.e. CVE-2009-5016[3]
>
> The upstream bug report, describes two issues:
> a. An integer overflow
> b. flaw in handling ill-formed UTF8 characters.
>
> The integer overflow issue was solved somewhere in year 2009, which was
> however not a complete fix since the ill-formed UTF8 chars., were still
> not properly validated. The rest of the issues were solved sometime back.
>
> It seems that the integer overflow is not exploitable on its own, you
> need to couple it with the second issue for the exploit to really work.
>
> Therefore do we really need two CVEs for this issue?
>
> [1] http://thread.gmane.org/gmane.comp.security.oss.general
> [2] http://bugs.php.net/bug.php?id=49687
> [3] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-5016
>
>
> --
>
> Huzaifa Sidhpurwala / Red Hat Security Response Team



-- 
Pierre

@pierrejoye | http://blog.thepimp.net | http://www.libgd.org