Headline
CVE-2015-1352: security - Re: CVE Request: PHP
The build_tablename function in pgsql.c in the PostgreSQL (aka pgsql) extension in PHP through 5.6.7 does not validate token extraction for table names, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted name.
- Products
- Openwall GNU/*/Linux server OS
- Linux Kernel Runtime Guard
- John the Ripper password cracker
- Free & Open Source for any platform
- in the cloud
- Pro for Linux
- Pro for macOS
- Wordlists for password cracking
- passwdqc policy enforcement
- Free & Open Source for Unix
- Pro for Windows (Active Directory)
- yescrypt KDF & password hashing
- yespower Proof-of-Work (PoW)
- crypt_blowfish password hashing
- phpass ditto in PHP
- tcb better password shadowing
- Pluggable Authentication Modules
- scanlogd port scan detector
- popa3d tiny POP3 daemon
- blists web interface to mailing lists
- msulogin single user mode login
- php_mt_seed mt_rand() cracker
- Services
- Publications
- Articles
- Presentations
- Resources
- Mailing lists
- Community wiki
- Source code repositories (GitHub)
- Source code repositories (CVSweb)
- File archive & mirrors
- How to verify digital signatures
- OVE IDs
- What’s new
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 24 Jan 2015 14:28:51 -0500 (EST) From: cve-assign@…re.org To: oss@…ernot.info Cc: cve-assign@…re.org, oss-security@…ts.openwall.com Subject: Re: CVE Request: PHP
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Date: Thu, 08 Jan 2015 22:11:09 +1100 I’m requesting multiple CVE-ID’s for multiple vulnerabilities in PHP that I found:
Use after free in ‘opcache’ component of PHP https://bugs.php.net/bug.php?id=68677 http://git.php.net/?p=php-src.git;a=commit;h=777c39f4042327eac4b63c7ee87dc1c7a09a3115
Use CVE-2015-1351.
(requests 2 and 3 are skipped because of the http://openwall.com/lists/oss-security/2015/01/08/5 post)
Null Pointer Dereference in pgsql https://bugs.php.net/bug.php?id=68741 http://git.php.net/?p=php-src.git;a=commit;h=124fb22a13fafa3648e4e15b4f207c7096d8155e
Use CVE-2015-1352 for this issue in which a return value isn’t validated.
Null Pointer Dereference in ereg(regex) https://bugs.php.net/bug.php?id=68740 http://git.php.net/?p=php-src.git;a=commit;h=124fb22a13fafa3648e4e15b4f207c7096d8155e
Because of an unusual process step on MITRE’s end, there was also some communication about these bugs that was only between MITRE and Joshua Rogers, without a Cc to oss-security. For Bug #68740, the additional discussion sent to us was (more or less) was that code in between lines 140 and 167 wouldn’t change g->setbits to a non-NULL value. This is also essentially implied by the reasoning used in the Description section of Bug #68740. (We didn’t want to send the private e-mail here, but Joshua Rogers is free to send it if he wants.)
MITRE doesn’t have a full code analysis and isn’t confident about whether the “explicit null dereference” exists or not. All we can offer is that the “wouldn’t change g->setbits to a non-NULL value” seems somewhat implausible because it means that significant intended functionality of the code wouldn’t have worked at all.
As an example, this sequence of function calls seems possible:
p_str - ordinary - bothcases - p_bracket - allocset
where allocset contains:
p->g->setbits = (uch *)malloc(nbytes);
and a memset (and the code before the line-140 “g->setbits = NULL” includes a “p->g = g”).
We’re going to defer a CVE assignment for Bug #68740 until someone outside MITRE offers additional analysis. It might be worthwhile to update Bug #68740 so that the “explicit null dereference” term isn’t used. Although maybe a code path with a NULL pointer dereference can be found, it’s apparently not the case that g->setbits is explicitly guaranteed to be NULL on line 1279.
CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS)
iQEcBAEBAgAGBQJUw/F5AAoJEKllVAevmvmsQi0H/A+DkH6FsNqUv6mmXBj7UCbL rQdAjfZGcMDA43oQBWBbKPqetAae63eBLyxzZOTOPqlRS5vr1U6Ly4s4equlvzsm govktU8CC7mdg6t5ZRYVh4CQHPsf4VnEf/bAK0ExlDPyl0zSQMXewZ5BJjh9VCXs Ap6CeWqaN5rS38IDxDOH5MTpqrOAdWP/U5YtSZdUdBvcXR7bla5Aal2aAPXA92kp HrIU0JXOz5FHCOKeoMvri+RxkrSJe+/8WUQfCI/o4PuUcoq+WHm4YZXHQ3mnck9k W5SMGA/a+xrTPHXWyqLYo0tY+7VIHQDIpBPTnhw2Hw7+d9vSt5jU9BW4kXNOKrs= =715+ -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.
Related news
Unspecified vulnerability in Oracle MySQL 5.5.50 and earlier, 5.6.31 and earlier, and 5.7.13 and earlier allows remote authenticated users to affect availability via vectors related to DML.
spl_array.c in the SPL extension in PHP before 5.5.37 and 5.6.x before 5.6.23 improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) via crafted serialized data.
spl_array.c in the SPL extension in PHP before 5.5.37 and 5.6.x before 5.6.23 improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) via crafted serialized data.
Use-after-free vulnerability in the _zend_shared_memdup function in zend_shared_alloc.c in the OPcache extension in PHP through 5.6.7 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.
The cdf_check_stream_offset function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, relies on incorrect sector-size data, which allows remote attackers to cause a denial of service (application crash) via a crafted stream offset in a CDF file.
The cdf_check_stream_offset function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, relies on incorrect sector-size data, which allows remote attackers to cause a denial of service (application crash) via a crafted stream offset in a CDF file.