thr3ads.net - Secure testing commits - [Secure-testing-commits] r5673

If this information is useful, please help other people find it:
Share via:
Moritz Muehlenhoff
2007-Apr-18 21:09 UTC
[Secure-testing-commits] r5673 - data

Author: jmm-guest
Date: 2007-04-18 21:09:43 +0000 (Wed, 18 Apr 2007)
New Revision: 5673

Modified:
   data/mopb.txt
Log:
group MOPB file by PHP4/PHP5 status


Modified: data/mopb.txt
==================================================================---
data/mopb.txt	2007-04-18 21:01:34 UTC (rev 5672)
+++ data/mopb.txt	2007-04-18 21:09:43 UTC (rev 5673)
@@ -1,52 +1,64 @@
-45  PHP ext/filter Email Validation Vulnerability
-TODO(low) -> possible email header injections when coupled with other
problems (php5 5.2.0, 5.2.1)
+Issues affecting PHP 4 and PHP 5:
 
-44  PHP 5.2.0 Memory Manager Signed Comparision Vulnerability
-#TODO(medium) -> remotely exploitable via SOAP interfaces, CVE-2007-1889
(php5 5.2.0 only)
-
-42  PHP 5 php_stream_filter_create() Off By One Vulnerablity
-#TODO(medium) -> needs to be fixed, Sarge not affected, CVE-2007-1824 (php5,
remote code execution, though haven''t reproduced it)
-
 41  PHP 5 sqlite_udf_decode_binary() Buffer Overflow Vulnerability
 #TODO(medium) -> for PHP5, not activated in the PHP4 build, CVE-2007-1887.
(php4 & php5, remote code execution)
 
-35  PHP 4 zip_entry_read() Integer Overflow Vulnerability
-#TODO(medium) -> needs to be fixed, CVE-2007-1777 (php4, remote code
execution)
-
 34  PHP mail() Header Injection Through Subject and To Parameters
 #TODO(medium) -> needs to be fixed, CVE-2007-1718 (php4 & php5, header
injection possible via some MTAs when set to process the headers for recipients)
 
-33  PHP mail() Message ASCIIZ Byte Truncation
-N/A This is a bug, but not security-relevant, CVE-2007-1717 (php4 & php5)
-
-32  PHP 4.4.5/4.4.6 session_decode() Double Free Vulnerability (U) 
-TODO(medium) -> needs to be fixed in php/etch, sarge not affected (php4
4.4.5/4.4.6, remote code execution)
-[MOPB-32-php4.diff]
-
 30  PHP _SESSION unset() Vulnerability
 #TODO(low) -> hard to trigger remotely, CVE-2007-1700. (php4 & php5,
code execution)
 
 26  PHP mb_parse_str() register_globals Activation Vulnerability
 #TODO(medium) -> functionally enables register_globals for any future
requests, CVE-2007-1583 (php4 & php5, enables stealth register_globals for
life of process)
 
-24  PHP array_user_key_compare() Double DTOR Vulnerability
-N/A Only triggerable by malicious script, CVE-2007-1484 (php4 & php5, code
execution)
-
 23  PHP 5 Rejected Session Identifier Double Free Vulnerability
 #TODO(medium) -> locally exploitable to gain access to process memory, hard
to do remotely, CVE-2007-1522. (php5 5.2.0+, code execution)
 
+10  PHP php_binary Session Deserialization Information Leak  Vulnerability
+#TODO(low) -> Can only leak 127 bytes of data, CVE-2007-1380 (php4 &
php5, heap leak)
+Check, to which extent this was covered by our backports of 5.2.1 patches
+
+
+
+Issues affecting PHP 4 only:
+
+35  PHP 4 zip_entry_read() Integer Overflow Vulnerability
+#TODO(medium) -> needs to be fixed, CVE-2007-1777 (php4, remote code
execution)
+
+32  PHP 4.4.5/4.4.6 session_decode() Double Free Vulnerability (U) 
+TODO(medium) -> needs to be fixed in php/etch, sarge not affected (php4
4.4.5/4.4.6, remote code execution)
+[MOPB-32-php4.diff]
+
 22  PHP session_regenerate_id() Double Free Vulnerability
 #TODO(medium) -> locally exploitable to gain access to process memory, hard
to do remotely, CVE-2007-1521 (php4 & php5, code execution)
 [MOPB-22-php4.diff]
 
+04  PHP 4 unserialize() ZVAL Reference Counter Overflow
+TODO (php4 only, gain execute control)
+[MOPB-04-php4.diff]
+
+
+
+Issues affecting PHP 5 only:
+
+45  PHP ext/filter Email Validation Vulnerability
+TODO(low) -> possible email header injections when coupled with other
problems (php5 5.2.0, 5.2.1)
+
+44  PHP 5.2.0 Memory Manager Signed Comparision Vulnerability
+#TODO(medium) -> remotely exploitable via SOAP interfaces, CVE-2007-1889
(php5 5.2.0 only)
+
+42  PHP 5 php_stream_filter_create() Off By One Vulnerablity
+#TODO(medium) -> needs to be fixed, CVE-2007-1824 (php5, remote code
execution, though haven''t reproduced it)
+
 19 PHP ext/filter Space Trimming Buffer Underflow Vulnerability
-#TODO(medium) -> for PHP5. Sarge not affected. CVE-2007-1453 (php5 5.2.0
only, code execution on big endian)
+#TODO(medium) -> for PHP5. CVE-2007-1453 (php5 5.2.0 only, code execution on
big endian)
 
 18  PHP ext/filter HTML Tag Stripping Bypass Vulnerability
-#TODO(medium) -> for PHP5. Sarge not affected. CVE-2007-1453 (php5 5.2.0
only, can avoid filters)
+#TODO(medium) -> for PHP5. CVE-2007-1453 (php5 5.2.0 only, can avoid
filters)
 
 17  PHP ext/filter FDF Post Bypass Vulnerability
-#TODO(low) -> ...or possibly "broken as designed". CVE-2007-1452,
Sarge is not affected. (php5 5.2.0 only, can avoid filters)
+#TODO(low) -> ...or possibly "broken as designed". CVE-2007-1452,
(php5 5.2.0 only, can avoid filters)
 
 16  PHP zip:// URL Wrapper Buffer Overflow Vulnerability
 #TODO(medium) -> possible remote data can result in code execution in 5.2.0
which uses the zip handler, CVE-2007-1399. (php5 5.2.0 only, code execution)
@@ -54,17 +66,13 @@
 14  PHP substr_compare() Information Leak Vulnerability
 #TODO(low) -> corner-case where length+offset > INT_MAX, CVE-2007-1375
(php5, heap leak)
 
-10  PHP php_binary Session Deserialization Information Leak  Vulnerability
-#TODO(low) -> Can only leak 127 bytes of data, CVE-2007-1380 (php4 &
php5, heap leak)
-Check, to which extent this was covered by our backports of 5.2.1 patches
 
-04  PHP 4 unserialize() ZVAL Reference Counter Overflow
-TODO (php4 only, gain execute control)
-[MOPB-04-php4.diff]
 
 
+
 Done or resolved:
 
+
 43  PHP msg_receive() Memory Allocation Integer Overflow Vulnerabilty
 #N/A -> Only triggerable by malicious script, CVE-2007-1890 (php4 &
php5, local code execution, possibly FreeBSD only)
 
@@ -83,6 +91,9 @@
 36  PHP session.save_path open_basedir Bypass Vulnerability
 #N/A -> open_basedir bypasses not supported, CVE-2007-1461
 
+33  PHP mail() Message ASCIIZ Byte Truncation
+N/A This is a bug, but not security-relevant, CVE-2007-1717 (php4 & php5)
+
 31  PHP _SESSION Deserialization Overwrite Vulnerability
 #N/A -> register_globals not supported, already fixed in DSA-1264, dupe
CVE-2007-0910/CVE-2007-1701 (php4 & php5, very hard to trigger remotely,
code execution)
 
@@ -98,6 +109,9 @@
 25  PHP header() Space Trimming Buffer Underflow Vulnerability
 #Fixed in Etch as part of the 5.2.1 backport, dupe CVE-2007-0907/CVE-2007-1584
 
+24  PHP array_user_key_compare() Double DTOR Vulnerability
+N/A Only triggerable by malicious script, CVE-2007-1484 (php4 & php5, code
execution)
+
 21  PHP compress.bzip2:// URL Wrapper safemode and open_basedir Bypass
Vulnerability
 #N/A -> Safemode and open_basedir bypasses not supported, CVE-2007-1461
Secure testing commits - Apr 2007 - r5673 - data

[Secure-testing-commits] r5673 - data
