[php-maint] php4 security issues, the compendium

sean finney seanius at debian.org
Sat Sep 9 09:21:34 UTC 2006 

hey guys,

i've just spent some time going through all of the emails sent back and
forth regarding php, and i've compiled what i think is the authoritative
list of open CVE's against php.

there's still that one scanf issue that i've heard conflicting decisions
on from joey/moritz, but otherwise i think we came to agreement on all
the other ones.  the ones which are "no" have the reason why they are
rejected in parenthesis, and the ones marked "yes" have a brief summary
of the CVE as a reminder.

unless i hear otherwise, i'll assemble a security NMU for the yes's.
and please mention anything you see missing.

CVE-2002-1954: no (no support for XSS fixes in phpinfo)
CVE-2005-1759: already fixed (shtool)
CVE-2005-3319: can't reproduce (htsession.save_path DoS)
CVE-2005-3353: yes (Possible DoS in exif_read_data())
CVE-2005-3388: no (no support for XSS fixes in phpinfo)
CVE-2005-3389: no (app's responsibility to sanitize parse_str input)
CVE-2005-3883: no (app's responsibility to sanitize sendmail input)
CVE-2006-0208: no (no support for XSS fixes in phpinfo)
CVE-2006-0931: no (app's responsibility to sanitize tar input)
CVE-2006-0996: no (no support for XSS fixes in phpinfo)
CVE-2006-1014: no (app's responsibility to sanitize sendmail input)
CVE-2006-1015: no (app's responsibility to sanitize sendmail input)
CVE-2006-1490: no (app's responsibility to sanitize html_decode input)
CVE-2006-1549: no (users can crash their own programs if they want)
CVE-2006-1990: no (would require malicious local user to exploit)
CVE-2006-3017: yes (unset() fails to unset variables)
CVE-2006-4020: contested (moritz/joey: can we get an agreement?)
CVE-2006-4023: no (app's responsibility to sanitize ip2long input)
CVE-2006-3016: no (we don't do "unspecified vulnerabilities")
CVE-2006-3017: yes (zend_hash_del and deleting wrong element)
CVE-2006-3018: no (we don't do "unspecified vulnerabilities")
CVE-2006-2660: no (users can create the files if they want)
CVE-2006-4482: yes (wordwrap vuln on 64-bit systems)
CVE-2006-4484: no (not from php4-gd, but *is* found in libgd2)


cheers,
	sean
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: This is a digitally signed message part
Url : http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20060909/2857c168/attachment.pgp

More information about the pkg-php-maint mailing list