Author: jmm-guest Date: 2007-04-18 21:01:34 +0000 (Wed, 18 Apr 2007) New Revision: 5672 Modified: data/mopb.txt Log: reorg for better overview Modified: data/mopb.txt ==================================================================--- data/mopb.txt 2007-04-18 21:00:24 UTC (rev 5671) +++ data/mopb.txt 2007-04-18 21:01:34 UTC (rev 5672) @@ -4,30 +4,12 @@ 44 PHP 5.2.0 Memory Manager Signed Comparision Vulnerability #TODO(medium) -> remotely exploitable via SOAP interfaces, CVE-2007-1889 (php5 5.2.0 only) -43 PHP msg_receive() Memory Allocation Integer Overflow Vulnerabilty -#N/A -> Only triggerable by malicious script, CVE-2007-1890 (php4 & php5, local code execution, possibly FreeBSD only) - 42 PHP 5 php_stream_filter_create() Off By One Vulnerablity #TODO(medium) -> needs to be fixed, Sarge not affected, CVE-2007-1824 (php5, remote code execution, though haven''t reproduced it) 41 PHP 5 sqlite_udf_decode_binary() Buffer Overflow Vulnerability #TODO(medium) -> for PHP5, not activated in the PHP4 build, CVE-2007-1887. (php4 & php5, remote code execution) -40 PHP imap_mail_compose() Boundary Stack Buffer Overflow Vulnerability -#Fixed in DSA-1264 and the respective PHP4/PHP5 packages, dupe CVE-2007-0906/CVE-2007-1825 - -39 PHP str_replace() Memory Allocation Integer Overflow Vulnerability -#Fixed in DSA-1264 and the respective PHP4/PHP5 packages, dupe CVE-2007-0906/CVE-2007-1885 - -38 PHP printf() Family 64 Bit Casting Vulnerabilities -#Fixed in DSA-1264 and the respective PHP4/PHP5 packages, dupe CVE-2007-0909/CVE-2007-1884 - -37 PHP iptcembed() Interruption Information Leak Vulnerability -#N/A -> Only triggerable by malicious script, CVE-2007-1883 (php4 & php5, local code execution) - -36 PHP session.save_path open_basedir Bypass Vulnerability -#N/A -> open_basedir bypasses not supported, CVE-2007-1461 - 35 PHP 4 zip_entry_read() Integer Overflow Vulnerability #TODO(medium) -> needs to be fixed, CVE-2007-1777 (php4, remote code execution) @@ -39,28 +21,14 @@ 32 PHP 4.4.5/4.4.6 session_decode() Double Free Vulnerability (U) TODO(medium) -> needs to be fixed in php/etch, sarge not affected (php4 4.4.5/4.4.6, remote code execution) +[MOPB-32-php4.diff] -31 PHP _SESSION Deserialization Overwrite Vulnerability -#N/A -> register_globals not supported, already fixed in DSA-1264, dupe CVE-2007-0910/CVE-2007-1701 (php4 & php5, very hard to trigger remotely, code execution) - 30 PHP _SESSION unset() Vulnerability #TODO(low) -> hard to trigger remotely, CVE-2007-1700. (php4 & php5, code execution) -29 PHP 5.2.1 unserialize() Information Leak Vulnerability -#N/A -> Only affects PHP 5.2.1 (heap leak via broken "S" unserializer, which should maybe be removed from 5.2.1, since it is only for future compatibility and is totally broken?) - -28 PHP hash_update_file() Already Freed Resource Access Vulnerability -#N/A -> Only triggerable by malicious script, CVE-2007-1581 (php5, local malicious stream handler leads to code execution) - -27 PHP ext/gd Already Freed Resource Access Vulnerability -#N/A -> Only triggerable by malicious script, CVE-2007-1582 (php4 & php5, local malicious error handler leads to code execution) - 26 PHP mb_parse_str() register_globals Activation Vulnerability #TODO(medium) -> functionally enables register_globals for any future requests, CVE-2007-1583 (php4 & php5, enables stealth register_globals for life of process) -25 PHP header() Space Trimming Buffer Underflow Vulnerability -#Fixed in Etch as part of the 5.2.1 backport, dupe CVE-2007-0907/CVE-2007-1584 - 24 PHP array_user_key_compare() Double DTOR Vulnerability N/A Only triggerable by malicious script, CVE-2007-1484 (php4 & php5, code execution) @@ -69,13 +37,8 @@ 22 PHP session_regenerate_id() Double Free Vulnerability #TODO(medium) -> locally exploitable to gain access to process memory, hard to do remotely, CVE-2007-1521 (php4 & php5, code execution) +[MOPB-22-php4.diff] -21 PHP compress.bzip2:// URL Wrapper safemode and open_basedir Bypass Vulnerability -#N/A -> Safemode and open_basedir bypasses not supported, CVE-2007-1461 - -20 PHP zip:// URL Wrapper safemode and open_basedir Bypass Vulnerability -#N/A Safemode and open_basedir bypasses not supported, CVE-2007-1460 - 19 PHP ext/filter Space Trimming Buffer Underflow Vulnerability #TODO(medium) -> for PHP5. Sarge not affected. CVE-2007-1453 (php5 5.2.0 only, code execution on big endian) @@ -88,12 +51,62 @@ 16 PHP zip:// URL Wrapper Buffer Overflow Vulnerability #TODO(medium) -> possible remote data can result in code execution in 5.2.0 which uses the zip handler, CVE-2007-1399. (php5 5.2.0 only, code execution) +14 PHP substr_compare() Information Leak Vulnerability +#TODO(low) -> corner-case where length+offset > INT_MAX, CVE-2007-1375 (php5, heap leak) + +10 PHP php_binary Session Deserialization Information Leak Vulnerability +#TODO(low) -> Can only leak 127 bytes of data, CVE-2007-1380 (php4 & php5, heap leak) +Check, to which extent this was covered by our backports of 5.2.1 patches + +04 PHP 4 unserialize() ZVAL Reference Counter Overflow +TODO (php4 only, gain execute control) +[MOPB-04-php4.diff] + + +Done or resolved: + +43 PHP msg_receive() Memory Allocation Integer Overflow Vulnerabilty +#N/A -> Only triggerable by malicious script, CVE-2007-1890 (php4 & php5, local code execution, possibly FreeBSD only) + +40 PHP imap_mail_compose() Boundary Stack Buffer Overflow Vulnerability +#Fixed in DSA-1264 and the respective PHP4/PHP5 packages, dupe CVE-2007-0906/CVE-2007-1825 + +39 PHP str_replace() Memory Allocation Integer Overflow Vulnerability +#Fixed in DSA-1264 and the respective PHP4/PHP5 packages, dupe CVE-2007-0906/CVE-2007-1885 + +38 PHP printf() Family 64 Bit Casting Vulnerabilities +#Fixed in DSA-1264 and the respective PHP4/PHP5 packages, dupe CVE-2007-0909/CVE-2007-1884 + +37 PHP iptcembed() Interruption Information Leak Vulnerability +#N/A -> Only triggerable by malicious script, CVE-2007-1883 (php4 & php5, local code execution) + +36 PHP session.save_path open_basedir Bypass Vulnerability +#N/A -> open_basedir bypasses not supported, CVE-2007-1461 + +31 PHP _SESSION Deserialization Overwrite Vulnerability +#N/A -> register_globals not supported, already fixed in DSA-1264, dupe CVE-2007-0910/CVE-2007-1701 (php4 & php5, very hard to trigger remotely, code execution) + +29 PHP 5.2.1 unserialize() Information Leak Vulnerability +#N/A -> Only affects PHP 5.2.1 (heap leak via broken "S" unserializer, which should maybe be removed from 5.2.1, since it is only for future compatibility and is totally broken?) + +28 PHP hash_update_file() Already Freed Resource Access Vulnerability +#N/A -> Only triggerable by malicious script, CVE-2007-1581 (php5, local malicious stream handler leads to code execution) + +27 PHP ext/gd Already Freed Resource Access Vulnerability +#N/A -> Only triggerable by malicious script, CVE-2007-1582 (php4 & php5, local malicious error handler leads to code execution) + +25 PHP header() Space Trimming Buffer Underflow Vulnerability +#Fixed in Etch as part of the 5.2.1 backport, dupe CVE-2007-0907/CVE-2007-1584 + +21 PHP compress.bzip2:// URL Wrapper safemode and open_basedir Bypass Vulnerability +#N/A -> Safemode and open_basedir bypasses not supported, CVE-2007-1461 + +20 PHP zip:// URL Wrapper safemode and open_basedir Bypass Vulnerability +#N/A Safemode and open_basedir bypasses not supported, CVE-2007-1460 + 15 PHP shmop Functions Resource Verification Vulnerability N/A Only triggerable by malicious script, could be used to read/write arbitrary memory, CVE-2007-1376 (php4 & php5, arbitrary memory leakage) -14 PHP substr_compare() Information Leak Vulnerability -#TODO(low) -> corner-case where length+offset > INT_MAX, CVE-2007-1375 (php5, heap leak) - 13 PHP 4 Ovrimos Extension Multiple Vulnerabilities #N/A -> Ovrimos support not provided in any debian php packages, CVE-2007-1379, CVE-2007-1378 @@ -103,10 +116,6 @@ 11 PHP WDDX Session Deserialization Information Leak Vulnerability #Fixed in DSA-1264. CVE-2007-0908 (php4 & php5, controllable stack leak) -10 PHP php_binary Session Deserialization Information Leak Vulnerability -#TODO(low) -> Can only leak 127 bytes of data, CVE-2007-1380 (php4 & php5, heap leak) -Check, to which extent this was covered by our backports of 5.2.1 patches - 09 PHP wddx_deserialize() String Append Buffer Overflow Vulnerability #N/A -> Only applies to a development version in CVS, not a shipped release, CVE-2007-1381. @@ -122,9 +131,6 @@ 05 PHP unserialize() 64 bit Array Creation Denial of Service Vulnerability #Fixed in DSA-1264. CVE-2007-0988 (php4 & php5, limited-time 100% CPU DoS) -04 PHP 4 unserialize() ZVAL Reference Counter Overflow -TODO(medium) -> Arguably an app bug, but we should probably grab the fix anyway (php4 only, gain execute control) - 03 PHP Variable Destructor Deep Recursion Stack Overflow #N/A -> Applications need to impose sanity checks for maximum recursion, CVE-2007-1285 (php4 & php5, crash only) @@ -134,4 +140,8 @@ 01 PHP 4 Userland ZVAL Reference Counter Overflow Vulnerability #N/A -> Only triggerable by malicious script, CVE-2007-1383 (php4 only, gain execute control) + + + (Comments starting with # indicate that information has been fed to the tracker) +(Comments starting with TOFIX indicate that a patch has been created or extracted)