Re: php header() header injection detection bypass

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/29/2012 12:26 PM, Raphael Geissert wrote:
> Hi,
>
> Reviewing a list of CVE ids that were assigned from the Debian CNA
> pool, I noticed there is one [id] for php5 that hasn't been made
> public yet the issue has already been re-re-reported and in this
> one last round finally fixed.
>
> I'm talking about https://bugs.php.net/60227
>
> It was independently reported by two persons but as of this time
> their reports (#54182 and #54006) are still hidden behind the
> "security bug" curtain of PHP's bug tracker. Back when they were
> reported, I had assigned the following id: CVE-2011-1398 "header
> injection detection bypass." Note that the id only applies to the
> CR bypass part of the issue.
>
> Then it came this other report (#60227, originally reported as
> #60028 by the same person but tagged security, which hid it too),
> which lead to finally fixing the bug (but please beware of the
> original fix by reading [1]).
>
> Unless I missed something, the CR bypass issue was never assigned a
> CVE id once it became public. Please do correct me if I'm wrong.
>
> [1] http://article.gmane.org/gmane.comp.php.devel/70584
>
> Cheers,

Apologies in advance for my questions but I'm a bit confused (also I
don't have access to PHP security bugs so I'm a bit in the dark here).

1) I don't see #54182 and #54006 in the PHP ChangeLog, have these been
fixed?

Assuming they were fixed at some point this leads me to ask:

2) Are you saying that the "header injection detection bypass" wasn't
completely fixed by the patches for #54182 and #54006, and then
someone reported #60227, originally reported as #60028 which has been
fixed needs a second CVE (e.g. the "an incomplete fix for original
issue led to a second fix being pushed" thing)?

Or am I getting this completely wrong (this is also possible).

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQQQSYAAoJEBYNRVNeJnmTI1oP/AzygB3R/neUg/MwCG+MHr9b
sCY2oQtp9f5X5Bq/SdKi/eK7/5UD5auUZnS2egocfvQKYZgP9GtWTvA9bXiaDSp0
jq9sTNEx5vLyWjtV/3376uMd443sa1uTb1cd2phDh2JEMfs0+MhIbp4o4N7FicHI
DW0my/hHZOa2yvZ/aGwGSFivIy8016rQmOg2OPXHOSrio/i/tSWSs9ZRlxhyj/u1
nwaSyfTi2V4mVpG5/sdsKL+RQV+Vsg1iOu99wFrjiHV7NH20wVlPgd3Jx/iPKytf
gjLHjIVY5YWEMBZZuNgVI2JVqnkJb3B5fuT7wuloEbdjvRcHnKO3Sw6g7VWQcmlS
CAE5Hvi/Uj84+PAm9VnVI5ZBwIv17G0cQgaCP8QUd2rlNl7zrJ0cSaKD6zs4536x
P/Wzm/yOBax3/B3ZA1OgG4DIk2gku8ml3WRh9hEHLage/4mXBaLfRaeMRX6FxogX
Z3c3IbojaUlz8mNJCMinfB49XdOSSNE1YO+TAjLQdDt3jGIMBuHetkFGD/XLoLNg
PNFp+W75UtL6aTRNnMNl3zTULTzVhnvwLb1gafGGGKHcsrvqCTZpDsDxojafaP4Q
QQx1m8tJSq/vrTvqD4r5KqpnRa/2F66DiphyCGXk1DmF1VLSPJxWpOmbzxVD4ISh
6OzkRs8Qf5Kwqueu6jYz
=GTXS
-----END PGP SIGNATURE-----