Re: CVE Request: PHP

[Joshua Rogers <oss () internot info>]

On 08/01/15 22:11, Joshua Rogers wrote:

> CVE Request 2:
>
> Uninitalized Pointer Read in PHP core('fopen()')
> Bug report: https://bugs.php.net/bug.php?id=68692&edit=2
> Commit fix:
> http://git.php.net/?p=php-src.git;a=commit;h=7ebdc8d70d7617f2c3353b027663ef54a24a2248
Not a valid security risk. In all cases of the 'vulnerable' function
being used, a specific case is not true, which means that it cannot be
exploited.
> >                 if (!(stream = php_stream_open_wrapper(p + 10, mode,
> > options, opened_path))) {
> >                         efree(pathdup);
> >                         return NULL;
> >                 }
'stream' must be false when php_stream_apply_filter_list is called,
which for all cases in the PHP code, cannot be.

> CVE Request 3:
> Uninitalized Pointer Read in PHP core
> Bug report: https://bugs.php.net/bug.php?id=68694&edit=2
> Commit fix:
> http://git.php.net/?p=php-src.git;a=commit;h=f3ea1b0b6a42a08093bf9191ad76fb4b5e0a653b
This is invalid too.
It requires, like the request #2, for 'stream' to be NULL.

>         for (key = php_strtok_r(tmp, ",", &lasts);
In this case, 'tmp' must be NULL for it to crash/be exploited.
But tmp is defined:
>         tmp = estrndup(new_value->val, new_value->len);
estrndup uses "emalloc", which like the other one from a few days ago
that I revoked, doesn't return NULL, but just crashes the program with
out-of-memory exit.


Thanks,
-- 
-- Joshua Rogers <https://internot.info/>

Attachment: signature.asc
Description: OpenPGP digital signature