[Secure-testing-commits] r5651 - in data: . CVE

Thu Apr 12 00:44:46 UTC 2007

Author: keescook-guest
Date: 2007-04-12 00:44:43 +0000 (Thu, 12 Apr 2007)
New Revision: 5651

Modified:
   data/CVE/list
   data/mopb.txt
Log:
mobp updates, CVE markups to match

Modified: data/CVE/list
===================================================================

--- data/CVE/list	2007-04-11 21:44:23 UTC (rev 5650)
+++ data/CVE/list	2007-04-12 00:44:43 UTC (rev 5651)
@@ -873,7 +873,7 @@
 CVE-2007-1585 (The Linksys WAG200G with firmware 1.01.01, WRT54GC 2 with firmware ...)
 	NOT-FOR-US: Cisco
 CVE-2007-1584 (Buffer underflow in the header function in PHP 5.2.0 allows ...)
-	- php5 <unfixed>
+	- php5 <unfixed> (medium)
 CVE-2007-1583 (The mb_parse_str function in PHP 4.0.0 through 4.4.6 and 5.0.0 through ...)
 	- php5 <unfixed> (medium)
 	- php4 <unfixed> (medium)
@@ -1107,9 +1107,9 @@
 CVE-2007-1485 (** DISPUTED ** ...)
 	NOT-FOR-US: LIBFtp
 CVE-2007-1484 (The array_user_key_compare function in PHP 4.4.6 and earlier, and 5.x ...)
-	- php4 <unfixed> (unimportant)
-	- php5 <unfixed> (unimportant)
-	NOTE: Internal function, only triggerable by malicious script
+	- php4 <unfixed> (medium)
+	- php5 <unfixed> (medium)
+	NOTE: local malicious scripts only, but allows arbitrary process memory access
 CVE-2007-1483 (Multiple PHP remote file inclusion vulnerabilities in WebCalendar ...)
 	- webcalendar <unfixed> (high)
 	NOTE: Requested removal from the archive
@@ -1178,7 +1178,7 @@
 CVE-2007-1453 (Buffer underflow in the PHP_FILTER_TRIM_DEFAULT macro in the filtering ...)
 	- php5 <unfixed> (medium)
 CVE-2007-1452 (The FDF support (ext/fdf) in PHP 5.2.0 and earlier does not implement ...)
-	- php5 <unfixed>
+	- php5 <unfixed> (low)
 CVE-2007-1451 (GuppY 4.0 allows remote attackers to delete arbitrary files via a ...)
 	NOT-FOR-US: GuppY
 CVE-2007-1450 (SQL injection vulnerability in mainfile.php in PHP-Nuke 8.0 and ...)
@@ -1317,7 +1317,7 @@
 CVE-2007-1400 (Plash permits sandboxed processes to open /dev/tty, which allows local ...)
 	NOT-FOR-US: Plash
 CVE-2007-1399 (Stack-based buffer overflow in the zip:// URL wrapper in PECL ZIP ...)
-	- php5 <not-affected> (Vulnerable code not present)
+	- php5 <unfixed> (medium)
 CVE-2007-1398 (The frag3 preprocessor in Snort 2.6.1.1, 2.6.1.2, and 2.7.0 beta, when ...)
 	- snort <not-affected> (Vulnerable code not present)
 CVE-2007-1397 (Multiple stack-based buffer overflows in the (1) ExtractRnick and (2) ...)
@@ -1359,8 +1359,8 @@
 CVE-2007-1381 (The wddx_deserialize function in wddx.c in PHP CVS as of 20070304 ...)
 	- php5 <not-affected> (Affected only a php5 CVS version, not a release)
 CVE-2007-1380 (The php_binary serialization handler in the session extension in PHP ...)
-	- php4 <unfixed>
-	- php5 <unfixed>
+	- php4 <unfixed> (low)
+	- php5 <unfixed> (low)
 CVE-2007-1379 (The ovrimos_close function in the Ovrimos extension for PHP before ...)
 	- php4 <not-affected> (Ovrimus support not included in Debian's PHP packages)
 CVE-2007-1378 (The ovrimos_longreadlen function in the Ovrimos extension for PHP ...)
@@ -1371,7 +1371,7 @@
 	- php4 <unfixed> (medium)
 	- php5 <unfixed> (medium)
 CVE-2007-1375 (Integer overflow in the substr_compare function in PHP 5.2.1 and ...)
-	- php5 <unfixed> (medium)
+	- php5 <unfixed> (low)
 	NOTE: Should be fixed, could be used as a stepstone for further attacks
 CVE-2007-1374 (Cross-site scripting (XSS) vulnerability in pop_profile.asp in Snitz ...)
 	NOT-FOR-US: Snitz Forums

Modified: data/mopb.txt
===================================================================
--- data/mopb.txt	2007-04-11 21:44:23 UTC (rev 5650)
+++ data/mopb.txt	2007-04-12 00:44:43 UTC (rev 5651)
@@ -54,19 +54,19 @@
 #N/A Only triggerable by malicious script, CVE-2007-1582
 
 26  PHP mb_parse_str() register_globals Activation Vulnerability
-#TODO Should be fixed, CVE-2007-1583
+#TODO(medium) functionally enables register_globals for any future requests, CVE-2007-1583 (php4 & php5, enables stealth register_globals for life of process)
 
 25  PHP header() Space Trimming Buffer Underflow Vulnerability
-#TODO Should be fixed for PHP5, Sarge is not affected, CVE-2007-1584
+#TODO(medium) -> Should be fixed for PHP5, Sarge is not affected, CVE-2007-1584 (php5 5.2.0 only, code execution on big endian)
 
 24  PHP array_user_key_compare() Double DTOR Vulnerability
-#N/A Internal function, only triggerable by malicious script, CVE-2007-1484
+#TODO(medium) -> locally exploitable to gain access to process memory (not remote), CVE-2007-1484 (php4 & php5, code execution)
 
 23  PHP 5 Rejected Session Identifier Double Free Vulnerability
-TODO It's not yet clear, whether this can be exploited from a remote attacker
+TODO(medium) -> locally exploitable to gain access to process memory, hard to do remotely (php5 5.2.0+, code execution)
 
 22  PHP session_regenerate_id() Double Free Vulnerability
-TODO It's not yet clear, whether this can be exploited from a remote attacker
+TODO(medium) -> locally exploitable to gain access to process memory, hard to do remotely (php4 & php5, code execution)
 
 21  PHP compress.bzip2:// URL Wrapper safemode and open_basedir Bypass Vulnerability
 #N/A Safemode and open_basedir bypasses not supported, CVE-2007-1461
@@ -75,43 +75,45 @@
 #N/A Safemode and open_basedir bypasses not supported, CVE-2007-1460
 
 19 PHP ext/filter Space Trimming Buffer Underflow Vulnerability
-#TODO for PHP5. Sarge not affected. CVE-2007-1453
+#TODO(medium) for PHP5. Sarge not affected. CVE-2007-1453 (php5 5.2.0 only, code execution on big endian)
 
 18  PHP ext/filter HTML Tag Stripping Bypass Vulnerability
-#TODO for PHP5. Sarge not affected. CVE-2007-1453
+#TODO(medium) for PHP5. Sarge not affected. CVE-2007-1453 (php5 5.2.0 only, can avoid filters)
 
 17  PHP ext/filter FDF Post Bypass Vulnerability
-#TODO(low) -> ...or possibly "broken as designed". CVE-2007-1452, Sarge is not affected.
+#TODO(low) -> ...or possibly "broken as designed". CVE-2007-1452, Sarge is not affected. (php5 5.2.0 only, can avoid filters)
 
 16  PHP zip:// URL Wrapper Buffer Overflow Vulnerability
-TODO, CVE-2007-1399, is the affected zip extension activated in the PHP build?
-  According to the Security Tracker it's not built? -jmm
+#TODO(medium) -> possible remote data can result in code execution in 5.2.0 which uses the zip handler, CVE-2007-1399. (php5 5.2.0 only, code execution)
 
 15  PHP shmop Functions Resource Verification Vulnerability
-TODO(medium) -> user-supplied data could be used to read/write arbitrary memory, CVE-2007-1376
+#TODO(medium) -> user-supplied data could be used to read/write arbitrary memory, CVE-2007-1376 (php4 & php5, arbitrary memory leakage)
   AFAICS this can only be triggered by malicious script and thus doesn't fall under our
   PHP security policy? -jmm
+  Leaking SSL private keys from an Apache server is something a "normal" PHP
+  script is unable to do.  If tiny memory leaks like MOPB 10, 11, and 14 are
+  going to be fixed, this one certainly should be fixed too. -kees
 
 14  PHP substr_compare() Information Leak Vulnerability
-#TODO -> corner-case where length+offset > INT_MAX, CVE-2007-1375
+#TODO(low) -> corner-case where length+offset > INT_MAX, CVE-2007-1375 (php5, heap leak)
 
 13  PHP 4 Ovrimos Extension Multiple Vulnerabilities
-N/A -> Ovrimos support not provided in any debian php packages, CVE-2007-1379, CVE-2007-1378
+#N/A -> Ovrimos support not provided in any debian php packages, CVE-2007-1379, CVE-2007-1378
 
 12  mod_security POST Rules Bypass Vulnerability
 N/A -> applies to modsecurity, not packaged for sarge/etch/(sid?)
 
 11  PHP WDDX Session Deserialization Information Leak Vulnerability
-#Fixed in DSA-1264. CVE-2007-0908
+#Fixed in DSA-1264. CVE-2007-0908 (php4 & php5, controllable stack leak)
 
 10  PHP php_binary Session Deserialization Information Leak  Vulnerability
-#TODO(low) -> Can only leak 127 bytes of data, CVE-2007-1380
+#TODO(low) -> Can only leak 127 bytes of data, CVE-2007-1380 (php4 & php5, heap leak)
 
 09  PHP wddx_deserialize() String Append Buffer Overflow Vulnerability
 #N/A -> Only applies to a development version in CVS, not a shipped release
 
 08  PHP 4 phpinfo() XSS Vulnerability (Deja-vu)
-N/A -> phpinfo() is a debug function, not be exposed to applications
+N/A -> phpinfo() is a debug function, not be exposed to applications (php4 4.4.3 through 4.4.6 only, phpinfo XSS)
 
 07  Zend Platform ini_modifier Local Root Vulnerability (B)
 N/A -> Only affects the Zend platform
@@ -120,18 +122,18 @@
 N/A -> Only affects the Zend platform
 
 05  PHP unserialize() 64 bit Array Creation Denial of Service  Vulnerability
-#Fixed in DSA-1264. CVE-2007-0988
+#Fixed in DSA-1264. CVE-2007-0988 (php4 & php5, limited-time 100% CPU DoS)
 
 04  PHP 4 unserialize() ZVAL Reference Counter Overflow
-TODO(medium) -> Arguably an app bug, but we should probably grab the fix anyway
+TODO(medium) -> Arguably an app bug, but we should probably grab the fix anyway (php4 only, gain execute control)
 
 03  PHP Variable Destructor Deep Recursion Stack Overflow
-#N/A -> Applications need to impose sanity checks for maximum recursion, CVE-2007-1285
+#N/A -> Applications need to impose sanity checks for maximum recursion, CVE-2007-1285 (php4 & php5, crash only)
 
 02  PHP Executor Deep Recursion Stack Overflow
-N/A -> Applications need to impose sanity checks for maximum recursion
+#N/A -> Applications need to impose sanity checks for maximum recursion, CVE-2006-1549 (php4 & php5, crash only)
 
 01  PHP 4 Userland ZVAL Reference Counter Overflow Vulnerability
-#N/A -> Only triggerable by malicious script, CVE-2007-1383
+#N/A -> Only triggerable by malicious script, CVE-2007-1383 (php4 only, gain execute control)
 
 (Comments starting with # indicate that information has been fed to the tracker)


