Re: php header() header injection detection bypass

[Raphael Geissert <geissert () debian org>]

Hi,

On Friday 31 August 2012 13:38:16 Kurt Seifried wrote:
> Apologies in advance for my questions but I'm a bit confused (also I
> don't have access to PHP security bugs so I'm a bit in the dark here).
>
> 1) I don't see #54182 and #54006 in the PHP ChangeLog, have these been
> fixed?
[...]
> 2) Are you saying that the "header injection detection bypass" wasn't
> completely fixed by the patches for #54182 and #54006, and then
> someone reported #60227, originally reported as #60028 which has been
> fixed needs a second CVE (e.g. the "an incomplete fix for original
> issue led to a second fix being pushed" thing)?

All the bug reports I mentioned are about exactly the same issue. The non-
public ones have been marked as duplicates of the public one.

I'm aware of at least 5.4.0 RC5 containing the incomplete fix[1], but I don't 
know in which exact RC version it made its way into. 5.4.0 beta2 was still 
vulnerable to CVE-2011-1398.

PHP 5.4.1 RC1 already had the proper fix.

So, since at least PHP 5.4.0 had the incomplete fix, I guess a new CVE for 
the incomplete fix is in order. Kurt, could you please assign one?

Please let me know if it's not clear enough yet.

[1]http://svn.php.net/viewvc/?view=revision&revision=318820
(referenced from #60227)

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net