oss-sec mailing list archives
Re: CVE Request: PHP
From: Joshua Rogers <oss () internot info>
Date: Fri, 09 Jan 2015 04:02:41 +1100
On 08/01/15 22:11, Joshua Rogers wrote:
CVE Request 2: Uninitalized Pointer Read in PHP core('fopen()') Bug report: https://bugs.php.net/bug.php?id=68692&edit=2 Commit fix: http://git.php.net/?p=php-src.git;a=commit;h=7ebdc8d70d7617f2c3353b027663ef54a24a2248
Not a valid security risk. In all cases of the 'vulnerable' function being used, a specific case is not true, which means that it cannot be exploited.
if (!(stream = php_stream_open_wrapper(p + 10, mode, options, opened_path))) { efree(pathdup); return NULL; }
'stream' must be false when php_stream_apply_filter_list is called, which for all cases in the PHP code, cannot be.
CVE Request 3: Uninitalized Pointer Read in PHP core Bug report: https://bugs.php.net/bug.php?id=68694&edit=2 Commit fix: http://git.php.net/?p=php-src.git;a=commit;h=f3ea1b0b6a42a08093bf9191ad76fb4b5e0a653b
This is invalid too. It requires, like the request #2, for 'stream' to be NULL.
for (key = php_strtok_r(tmp, ",", &lasts);
In this case, 'tmp' must be NULL for it to crash/be exploited. But tmp is defined:
tmp = estrndup(new_value->val, new_value->len);
estrndup uses "emalloc", which like the other one from a few days ago that I revoked, doesn't return NULL, but just crashes the program with out-of-memory exit. Thanks, -- -- Joshua Rogers <https://internot.info/>
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- CVE Request: PHP Joshua Rogers (Jan 08)
- Re: CVE Request: PHP Joshua Rogers (Jan 08)
- Re: CVE Request: PHP cve-assign (Jan 24)
- Re: CVE Request: PHP Joshua Rogers (Jan 24)
- Re: Re: CVE Request: PHP Joshua Rogers (Jan 24)
- Re: Re: CVE Request: PHP Joshua Rogers (Jan 24)
- Re: CVE Request: PHP Joshua Rogers (Jan 24)