[php-maint] status of multiple vulnerabilities in php4/sarge: update

sean finney seanius at debian.org
Tue Aug 15 15:58:44 UTC 2006


hey security peeps,

i've been spending a bit of time on the list of known/open php
vulnerabilities in sarge.  i have a work-in-progress NMU prepared,
along with some PoC code for the easy to verify vulns here:

http://people.debian.org/~seanius/security/php

90adc88ccaddcc51beda3cfc5a47f96a  ./poc/CVE-2005-3353.jpg
6e3054c031c345b9b657ba9a47bd01f6  ./poc/CVE-2002-1954.poc
2002ee2bcf1894825c8f6d70a18e51bf  ./poc/CVE-2006-1990.poc
bf5afd4770b3a5e5c54bab92248f58a3  ./poc/CVE-2005-3353.poc
837153c222f3f97fb4c59c73c093c390  ./poc/CVE-2006-0996.poc
b336e3ad70b52941f8b0f24b6fd66fa5  ./poc/info.php
cfcfb9d41867ede0dcb5e8fdd4a41311  ./php4_4.3.10-16sarge0.5.diff.gz

below is a list of the open CVE's according to the security-testing
CVE tracker, and their status wrt the above NMU.  some could use
a second set of eyes, others could use general opinions:

CVE-2005-3353: patched and verified with PoC
CVE-2006-1990: patched and verified with PoC
CVE-2005-3388: patched and verified with PoC
CVE-2006-0996: patched and verified with PoC

CVE-2002-1954: could not reproduce, but the patch for CVE-2005-3388
               would fix it if it were a vulnerability

CVE-2005-3883: patched but not verified (taken from other vendor)
CVE-2005-3389: patched but not verified (taken from other vendor)
CVE-2006-1490: patched but not verified (taken from other vendor)
CVE-2006-0208: patched but not verified (taken from other vendor)

CVE-2005-1759: a fix for this was already present in 4.3.10-16

and finally, the ones needing further review/discussion:

CVE-2005-3319: (htaccess session.save_path DoS) can't reproduce.

CVE-2006-0931: (directory traversal with submitted tar archives in pear)
               there's some question as to whether this is a actually
	       a problem with pear.  i'd argue that the responsibility
	       is on the application using pear::tar to ensure a valid
	       contents in the archive, just like any other input
	       sanitizing problem.

CVE-2006-1014: (see below)
CVE-2006-1015: (attack vectors on sendmail via cmdline argument injection)
               again, i would argue this is a case of application
	       responsibility to sanitize input.  the CVE author hints
	       at this as well with a note in the mitre.org entry.
               
CVE-2006-1549: (infinitely recursive functions can cause crash/segfault)
               my thought on this is "well, duh".


phew.  okay afaik that's it; feedback would be appreciated.


	sean

ps - i am cc'ing the current php maintainers so they are in the loop and
     can provide feedback as well.

-- 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20060815/0404de91/attachment.pgp


More information about the pkg-php-maint mailing list