[php-maint] Re: another batch of php security issues for review

Martin Schulze joey at infodrom.org
Tue Aug 29 16:17:47 UTC 2006


Thanks a lot Adam!

Adam Conrad wrote:
> >> CVE-2006-3016 (Unspecified vulnerability in session.c in PHP before
> >> 5.1.3 has unknown ...)
> >>
> >> 	gotta love the "unspecified".  looks like php doesn't perform
> >> 	checks on the session name, which can contain any number of
> >> 	malicious things and be used for sql injection, xss, etc.
> >>
> >> 	not sure if this another shoot-yourself-in-the-foot issue or
> >> 	whether we should include the fix (which apparently is to only
> >> 	allow session names with alphanumeric characters)
> >>     
> >
> > Without more details I can't say more.  Hmm, it's said to be fixed in
> > http://www.ubuntu.com/usn/usn-320-1 but not mentioned inside.
> >   
> http://cvs.php.net/viewcvs.cgi/php-src/ext/session/session.c?r1=1.425&r2=1.426
> >   
> >> CVE-2006-3018 (Unspecified vulnerability in the session extension
> >> functionality in ...)
> >>
> >> 	this seems similar to the above, only it can result in heap
> >> 	corruption, which makes me think that perhaps it's appropriate
> >> 	to fix it (though finding the fix will be less than fun)
> >>     
> >
> > If we had the fix, we could maybe think about attack vectors.  Right
> > now, nearly everything is unspecified and hence difficult to judge.
> >
> >   
> http://cvs.php.net/viewcvs.cgi/php-src/ext/session/mod_files.c?r1=1.102&r2=1.103
> 
> Pre-made patches for both of these can be pulled from debian/patches in
> the dapper-security sources.

I'd consider them bugs but not security bugs.  They should be fixed
in the regular version of PHP but imho don't warrant a security update.

Regards,

	Joey

-- 
Beware of bugs in the above code; I have only proved it correct,
not tried it.  -- Donald E. Knuth



More information about the pkg-php-maint mailing list