Re: Re: php header() header injection detection bypass

[Raphael Geissert <geissert () debian org>]

On Tuesday 04 September 2012 14:02:25 cve-assign () mitre org wrote:
> > This is perfect, thanks. Please use CVE-2012-4388 for the incomplete
> > fix for CVE-2011-1398.
[...]
> In the current situation, CVE-2011-1398 will probably be modified soon
> to have a "NOTE: this vulnerability exists because of an incomplete
> fix for CVE-####-####." sentence.

As far as I'm aware, there was no CVE assigned when the original header 
injection/response splitting protection was added. I presume there wasn't 
one because it was a security feature to protect applications that didn't 
validate what was being passed to header()[1], not a fix for a vulnerability.

[1] such as phpMyID: http://seclists.org/bugtraq/2008/Oct/4
(which now I notice never got a CVE id)

> Although a vulnerability statement such as "First one still has the
> possibility of injecting '\r' before the first '\n'" can be associated
> with the concept of an incomplete fix, MITRE does not consider the fix
> to be an "incomplete fix for" a different CVE (that references a
> better patch). In our terminology, the "incomplete fix for" phrase is
> only used for pointers in the opposite direction. And, of course, CVEs
> are assigned to vulnerabilities, not to fixes.

Perhaps I'm misunderstanding something, but the above is confusing me.

To me, this is what each of the ids represent:
CVE-2011-1398: describes the protection bypass
CVE-2012-4388: describes the failure to fully fix the protection bypass 
(hence the "incomplete fix for CVE-2011-1398")


P.S. I don't even mention the NUL-byte issue as, to the best of my 
knowledge, never made it into a release.

Regards,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net