oss-sec mailing list archives
Re: php header() header injection detection bypass
From: Raphael Geissert <geissert () debian org>
Date: Fri, 31 Aug 2012 17:42:14 -0500
Hi, On Friday 31 August 2012 13:38:16 Kurt Seifried wrote:
Apologies in advance for my questions but I'm a bit confused (also I don't have access to PHP security bugs so I'm a bit in the dark here). 1) I don't see #54182 and #54006 in the PHP ChangeLog, have these been fixed?
[...]
2) Are you saying that the "header injection detection bypass" wasn't completely fixed by the patches for #54182 and #54006, and then someone reported #60227, originally reported as #60028 which has been fixed needs a second CVE (e.g. the "an incomplete fix for original issue led to a second fix being pushed" thing)?
All the bug reports I mentioned are about exactly the same issue. The non- public ones have been marked as duplicates of the public one. I'm aware of at least 5.4.0 RC5 containing the incomplete fix[1], but I don't know in which exact RC version it made its way into. 5.4.0 beta2 was still vulnerable to CVE-2011-1398. PHP 5.4.1 RC1 already had the proper fix. So, since at least PHP 5.4.0 had the incomplete fix, I guess a new CVE for the incomplete fix is in order. Kurt, could you please assign one? Please let me know if it's not clear enough yet. [1]http://svn.php.net/viewvc/?view=revision&revision=318820 (referenced from #60227) Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net
Current thread:
- php header() header injection detection bypass Raphael Geissert (Aug 29)
- Re: php header() header injection detection bypass Kurt Seifried (Aug 31)
- Re: php header() header injection detection bypass Raphael Geissert (Aug 31)
- Re: php header() header injection detection bypass Kurt Seifried (Sep 01)
- Re: php header() header injection detection bypass Eygene Ryabinkin (Sep 04)
- Re: php header() header injection detection bypass cve-assign (Sep 04)
- Re: Re: php header() header injection detection bypass Raphael Geissert (Sep 04)
- Re: php header() header injection detection bypass cve-assign (Sep 05)
- Re: Re: php header() header injection detection bypass Raphael Geissert (Sep 06)
- Re: php header() header injection detection bypass Raphael Geissert (Aug 31)
- Re: Re: php header() header injection detection bypass Eygene Ryabinkin (Sep 04)
- Re: php header() header injection detection bypass Kurt Seifried (Aug 31)