Author: jmm-guest Date: 2007-04-11 19:51:12 +0000 (Wed, 11 Apr 2007) New Revision: 5646 Modified: data/CVE/list data/mopb.txt Log: more work on php (currently focused on php4) two php issues unimportant pennmush no-dsa centericq icq not-affected, fixed anyway Modified: data/CVE/list ==================================================================--- data/CVE/list 2007-04-11 18:25:02 UTC (rev 5645) +++ data/CVE/list 2007-04-11 19:51:12 UTC (rev 5646) @@ -851,7 +851,8 @@ CVE-2007-1476 (The SymTDI driver in Symantec Norton Personal Firewall 2006 9.1.1.7 ...) NOT-FOR-US: Symantec Norton Personal Firewall CVE-2007-1475 (Multiple buffer overflows in the (1) ibase_connect and (2) ...) - - php4 <unfixed> (low) + - php4 <unfixed> (unimportant) + NOTE: Can only be triggered by malicious script CVE-2007-1474 (Argument injection vulnerability in the cleanup cron script in Horde ...) - horde3 3.1.3-4 (medium) CVE-2007-1473 (Cross-site scripting (XSS) vulnerability in framework/NLS/NLS.php in ...) @@ -970,7 +971,9 @@ CVE-2007-1432 (Grayscale Blog 0.8.0, and possibly earlier versions, allows remote ...) NOT-FOR-US: Grayscale Blog CVE-2007-1431 (Multiple unspecified vulnerabilities in PennMUSH 1.8.3 before 1.8.3p1 ...) - - pennmush <unfixed> + - pennmush <unfixed> (low) + [sarge] - pennmush <no-dsa> (Minor issue) + [etch] - pennmush <no-dsa> (Minor issue) CVE-2007-1430 (PHP remote file inclusion vulnerability in ...) NOT-FOR-US: ClipShare CVE-2007-1429 (Multiple PHP remote file inclusion vulnerabilities in Moodle 1.7.1 ...) @@ -1091,8 +1094,8 @@ - php4 <unfixed> (medium) - php5 <unfixed> (medium) CVE-2007-1375 (Integer overflow in the substr_compare function in PHP 5.2.1 and ...) - - php5 <unfixed> (unknown) - NOTE: Needs further investigation + - php5 <unfixed> (medium) + NOTE: Should be fixed, could be used as a stepstone for further attacks CVE-2007-1374 (Cross-site scripting (XSS) vulnerability in pop_profile.asp in Snitz ...) NOT-FOR-US: Snitz Forums CVE-2007-1373 (Stack-based buffer overflow in Mercury/32 (aka Mercury Mail Transport ...) @@ -1346,8 +1349,9 @@ CVE-2007-1286 (Integer overflow in PHP 4.4.4 and earlier allows remote ...) - php4 <unfixed> (low) CVE-2007-1285 (The Zend Engine in PHP 4.x and 5.x allows remote attackers to cause a ...) - - php5 <unfixed> (low) - - php4 <unfixed> (low) + - php5 <unfixed> (unimportant) + - php4 <unfixed> (unimportant) + NOTE: Needs to be sanisited within apps, only crashes the current instance anyway CVE-2007-1284 RESERVED CVE-2007-1283 @@ -3892,7 +3896,8 @@ CVE-2006-6945 (SQL injection vulnerability in Virtuemart 1.0.7 allows remote ...) NOT-FOR-US: VirtueMart CVE-2007-XXXX [libjabber DoS] - - centericq 4.21.0-18 (bug #406982) + - centericq 4.21.0-18 (unimportant; bug #406982) + NOTE: Affected function isn''t used in the source CVE-2007-XXXX [python-django flup/FastCGI/debugging issue] - python-django 0.95.1-1 (bug #407607) CVE-2007-XXXX [gstreamer-ffmpeg unspecified issue related to sps and pps ids] Modified: data/mopb.txt ==================================================================--- data/mopb.txt 2007-04-11 18:25:02 UTC (rev 5645) +++ data/mopb.txt 2007-04-11 19:51:12 UTC (rev 5646) @@ -81,17 +81,19 @@ #TODO for PHP5. Sarge not affected. CVE-2007-1453 17 PHP ext/filter FDF Post Bypass Vulnerability -TODO(low) -> ...or possibly "broken as designed". Sarge is not affected. +#TODO(low) -> ...or possibly "broken as designed". CVE-2007-1452, Sarge is not affected. 16 PHP zip:// URL Wrapper Buffer Overflow Vulnerability -VERIFY -> is this CVE-2007-0906/zip? i can''t reproduce it anyway... -This is CVE-2007-1399 +TODO, CVE-2007-1399, is the affected zip extension activated in the PHP build? + According to the Security Tracker it''s not built? -jmm 15 PHP shmop Functions Resource Verification Vulnerability TODO(medium) -> user-supplied data could be used to read/write arbitrary memory, CVE-2007-1376 + AFAICS this can only be triggered by malicious script and thus doesn''t fall under our + PHP security policy? -jmm 14 PHP substr_compare() Information Leak Vulnerability -TODO -> corner-case where length+offset > INT_MAX, CVE-2007-1375 +#TODO -> corner-case where length+offset > INT_MAX, CVE-2007-1375 13 PHP 4 Ovrimos Extension Multiple Vulnerabilities N/A -> Ovrimos support not provided in any debian php packages, CVE-2007-1379, CVE-2007-1378 @@ -118,13 +120,13 @@ N/A -> Only affects the Zend platform 05 PHP unserialize() 64 bit Array Creation Denial of Service Vulnerability -Fixed in DSA-1264. CVE-2007-0988 +#Fixed in DSA-1264. CVE-2007-0988 04 PHP 4 unserialize() ZVAL Reference Counter Overflow TODO(medium) -> Arguably an app bug, but we should probably grab the fix anyway 03 PHP Variable Destructor Deep Recursion Stack Overflow -N/A -> Applications need to impose sanity checks for maximum recursion +#N/A -> Applications need to impose sanity checks for maximum recursion, CVE-2007-1285 02 PHP Executor Deep Recursion Stack Overflow N/A -> Applications need to impose sanity checks for maximum recursion