Not sure if this is the correct place for VuXML questions, but the FreeBSD VuXML list ( http://lists.freebsd.org/pipermail/freebsd-vuxml/) looks pretty dead given the last update was in 2007 according to the archives. We were previously tracking this entry, which pretty much sat for a while without an applicable upgradeable resolution available. Affected package: php5-posix-5.2.6 Type of problem: php -- input validation error in posix_access function. Reference: <http://www.FreeBSD.org/ports/portaudit/ee6fa2bd-406a-11dd-936a-0015af872849 .html> ----------- Then late last week, the same VuXML ID started reporting this information instead: Affected package: php5-5.2.6 Type of problem: php -- input validation error in safe_mode. Reference: <http://www.FreeBSD.org/ports/portaudit/ee6fa2bd-406a-11dd-936a-0015af872849 .html> ------------ The generic question I'm asking is: What happened and why? Seems to me that if you have a VuXML ID (which, I thought wasn't suppose to be re-used), then it's name and description shouldn't just apparently change one day. So is the prior "php5-posix-5.2.6" and the now "php5-5.2.6" with same ID, the same bug, a new description, does the newer supercede, etc, etc? Where can I get the background on what went on here? Thanks. -_S
Andrew Storms wrote:> Not sure if this is the correct place for VuXML questions, but the FreeBSD > VuXML list ( http://lists.freebsd.org/pipermail/freebsd-vuxml/) looks pretty > dead given the last update was in 2007 according to the archives. > > We were previously tracking this entry, which pretty much sat for a while > without an applicable upgradeable resolution available. > > Affected package: php5-posix-5.2.6 > Type of problem: php -- input validation error in posix_access function. > Reference: > <http://www.FreeBSD.org/ports/portaudit/ee6fa2bd-406a-11dd-936a-0015af872849 > .html> > > ----------- > > Then late last week, the same VuXML ID started reporting this information > instead: > > Affected package: php5-5.2.6 > Type of problem: php -- input validation error in safe_mode. > Reference: > <http://www.FreeBSD.org/ports/portaudit/ee6fa2bd-406a-11dd-936a-0015af872849 > .html> > > ------------ > > > The generic question I'm asking is: What happened and why? Seems to me that > if you have a VuXML ID (which, I thought wasn't suppose to be re-used), then > it's name and description shouldn't just apparently change one day.There was an input validation bug in a function that was used in all posix_ functions that used files (http://../ ended up in /) which bypassed safe_mode.> > So is the prior "php5-posix-5.2.6" and the now "php5-5.2.6" with same ID, > the same bug, a new description, does the newer supercede, etc, etc? Where > can I get the background on what went on here?It was only in the posix module, not in entire PHP. ale@ took the fixing patch from PHP-cvs and attached it as a patch to the port a few days ago (or at least committed it) Afaik the vuxml also updated then; and I think ale@ took a look at the patch and changed the vuxml to say the portrevision with that patch wasn't vulnerable anymore, and also clearified the description. -- Jille> > Thanks. > > -_S > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
On Mon, Sep 08, 2008 at 08:33:49AM -0700, Andrew Storms wrote:> Not sure if this is the correct place for VuXML questions, but the FreeBSD > VuXML list ( http://lists.freebsd.org/pipermail/freebsd-vuxml/) looks pretty > dead given the last update was in 2007 according to the archives. > > We were previously tracking this entry, which pretty much sat for a while > without an applicable upgradeable resolution available. > > Affected package: php5-posix-5.2.6 > Type of problem: php -- input validation error in posix_access function. > Reference: > <http://www.FreeBSD.org/ports/portaudit/ee6fa2bd-406a-11dd-936a-0015af872849 > .html> > ----------- > > Then late last week, the same VuXML ID started reporting this information > instead: > > Affected package: php5-5.2.6 > Type of problem: php -- input validation error in safe_mode. > Reference: > <http://www.FreeBSD.org/ports/portaudit/ee6fa2bd-406a-11dd-936a-0015af872849 > .html> > ------------ > > The generic question I'm asking is: What happened and why? Seems to me that > if you have a VuXML ID (which, I thought wasn't suppose to be re-used), then > it's name and description shouldn't just apparently change one day. > > So is the prior "php5-posix-5.2.6" and the now "php5-5.2.6" with same ID, > the same bug, a new description, does the newer supercede, etc, etc? Where > can I get the background on what went on here?My initial impression after reading the full disclosures on SecurityFocus is that these two flaws are separate, and should have been given separate VuXML IDs: CVE-2008-2665: http://www.securityfocus.com/bid/29797 CVE-2008-2666: http://www.securityfocus.com/bid/29796 As for the CVS commits under scrutiny, here they are in chronological order: Revision 1.1645 Revision 1.1646 Revision 1.1647 Revision 1.1676 http://www.freebsd.org/cgi/cvsweb.cgi/ports/security/vuxml/vuln.xml -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |