thr3ads.net - Secure testing commits - [Secure-testing-commits] r5683 - in data: . CVE patches/MOPB/php4-etch patches/MOPB/php4-sarge [Apr 2007]

If this information is useful, please help other people find it:
Share via:

Moritz Muehlenhoff

2007-Apr-19 20:58 UTC

[Secure-testing-commits] r5683 - in data: . CVE patches/MOPB/php4-etch patches/MOPB/php4-sarge

Author: jmm-guest
Date: 2007-04-19 20:57:57 +0000 (Thu, 19 Apr 2007)
New Revision: 5683

Added:
   data/patches/MOPB/php4-etch/074-CVE-2007-1286-MOPB-04.patch
   data/patches/MOPB/php4-sarge/CVE-2007-1286-MOPB-04.patch
Modified:
   data/CVE/list
   data/mopb.txt
Log:
more php4 updates


Modified: data/CVE/list
==================================================================---
data/CVE/list	2007-04-19 20:50:22 UTC (rev 5682)
+++ data/CVE/list	2007-04-19 20:57:57 UTC (rev 5683)
@@ -847,6 +847,7 @@
 	NOT-FOR-US: mcweject
 CVE-2007-1718 (CRLF injection vulnerability in the mail function in PHP 4.0.0
through ...)
 	- php4 <unfixed> (medium)
+	[sarge] - php4 <not-affected> (Vulnerable code not present)
 	- php5 <unfixed> (medium)
 CVE-2007-1717 (The mail function in PHP 4.0.0 through 4.4.6 and 5.0.0 through
5.2.1 ...)
 	- php4 <unfixed> (unimportant)

Modified: data/mopb.txt
==================================================================---
data/mopb.txt	2007-04-19 20:50:22 UTC (rev 5682)
+++ data/mopb.txt	2007-04-19 20:57:57 UTC (rev 5683)
@@ -16,12 +16,8 @@
 26  PHP mb_parse_str() register_globals Activation Vulnerability
 #TODO(medium) -> functionally enables register_globals for any future
requests, CVE-2007-1583 (php4 & php5, enables stealth register_globals for
life of process)
 
-23  PHP 5 Rejected Session Identifier Double Free Vulnerability
-#TODO(medium) -> locally exploitable to gain access to process memory, hard
to do remotely, CVE-2007-1522. (php5 5.2.0+, code execution)
-
 22  PHP session_regenerate_id() Double Free Vulnerability
 #TODO(medium) -> locally exploitable to gain access to process memory, hard
to do remotely, CVE-2007-1521 (php4 & php5, code execution)
-[MOPB-22-php4.diff]
 [MOPB-22-php5.diff]
 
 10  PHP php_binary Session Deserialization Information Leak  Vulnerability
@@ -59,6 +55,9 @@
 #TODO(medium) -> needs to be fixed, CVE-2007-1824 (php5, remote code
execution, though haven''t reproduced it)
 [MOPB-42-php5.diff]
 
+23  PHP 5 Rejected Session Identifier Double Free Vulnerability
+#TODO(medium) -> locally exploitable to gain access to process memory, hard
to do remotely, CVE-2007-1522. (php5 5.2.0+, code execution)
+
 19 PHP ext/filter Space Trimming Buffer Underflow Vulnerability
 #TODO(medium) -> for PHP5. CVE-2007-1453 (php5 5.2.0 only, code execution on
big endian)
 
@@ -176,16 +175,15 @@
 # php4 checklist
 
    Sarge Etch
-41
-35
-32
+41   ?    ?
+35   ?    ?
 34   /    a
-30
+32   a    a 
+30   
 26
-23
-22
+22   a    a
 10   a    a
-04
+04   a    a
 
 ? = more info
 x = fix needed

Added: data/patches/MOPB/php4-etch/074-CVE-2007-1286-MOPB-04.patch
==================================================================---
data/patches/MOPB/php4-etch/074-CVE-2007-1286-MOPB-04.patch	2007-04-19 20:50:22
UTC (rev 5682)
+++ data/patches/MOPB/php4-etch/074-CVE-2007-1286-MOPB-04.patch	2007-04-19
20:57:57 UTC (rev 5683)
@@ -0,0 +1,24 @@
+--- php4/ext/standard/var_unserializer.c	2006/08/09 23:29:17	1.18.4.24.2.7
++++ php4-4.4.4/ext/standard/var_unserializer.c	2006/10/27 08:35:25
1.18.4.24.2.8
+@@ -958,6 +958,10 @@
+ 	
+ 	if (*rval == *rval_ref) return 0;
+ 
++	if ((*rval_ref)->refcount > 65500) {
++		return 0;
++	}
++
+ 	if (*rval != NULL) {
+ 	zval_ptr_dtor(rval);
+ 	}
+@@ -999,6 +1003,10 @@
+ 
+ 	id = parse_iv(start + 2) - 1;
+ 	if (id == -1 || var_access(var_hash, id, &rval_ref) != SUCCESS) {
++		return 0;
++	}
++
++	if ((*rval_ref)->refcount > 65500) {
+ 		return 0;
+ 	}
+ 

Added: data/patches/MOPB/php4-sarge/CVE-2007-1286-MOPB-04.patch
==================================================================---
data/patches/MOPB/php4-sarge/CVE-2007-1286-MOPB-04.patch	2007-04-19 20:50:22 UTC
(rev 5682)
+++ data/patches/MOPB/php4-sarge/CVE-2007-1286-MOPB-04.patch	2007-04-19 20:57:57
UTC (rev 5683)
@@ -0,0 +1,24 @@
+--- php4/ext/standard/var_unserializer.c	2006/08/09 23:29:17	1.18.4.24.2.7
++++ php4-4.3.10/ext/standard/var_unserializer.c	2006/10/27 08:35:25
1.18.4.24.2.8
+@@ -958,6 +958,10 @@
+ 	
+ 	if (*rval == *rval_ref) return 0;
+ 
++	if ((*rval_ref)->refcount > 65500) {
++		return 0;
++	}
++
+ 	if (*rval != NULL) {
+ 	zval_ptr_dtor(rval);
+ 	}
+@@ -999,6 +1003,10 @@
+ 
+ 	id = parse_iv(start + 2) - 1;
+ 	if (id == -1 || var_access(var_hash, id, &rval_ref) != SUCCESS) {
++		return 0;
++	}
++
++	if ((*rval_ref)->refcount > 65500) {
+ 		return 0;
+ 	}
+

Secure testing commits - Apr 2007 - r5683 - in data: . CVE patches/MOPB/php4-etch patches/MOPB/php4-sarge

[Secure-testing-commits] r5683 - in data: . CVE patches/MOPB/php4-etch patches/MOPB/php4-sarge