[Secure-testing-commits] r5658 - in data: . CVE

Kees Cook keescook-guest at alioth.debian.org
Mon Apr 16 21:01:30 UTC 2007 

Author: keescook-guest
Date: 2007-04-16 21:01:26 +0000 (Mon, 16 Apr 2007)
New Revision: 5658

Modified:
   data/CVE/list
   data/mopb.txt
Log:
mopb: more details, CVEs, and list updates.

Modified: data/CVE/list
===================================================================
--- data/CVE/list	2007-04-16 19:34:30 UTC (rev 5657)
+++ data/CVE/list	2007-04-16 21:01:26 UTC (rev 5658)
@@ -567,9 +567,9 @@
 	- php4 <unfixed> (medium)
 	- php5 <unfixed> (medium)
 CVE-2007-1717 (The mail function in PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 ...)
-	- php4 <unfixed> (unimportant)
-	- php5 <unfixed> (unimportant)
-	NOTE: Hardly a security problem
+	- php4 <unfixed> (low)
+	- php5 <unfixed> (low)
+	NOTE: Barely a security problem.
 CVE-2007-1716 (pam_console does not properly restore ownership for certain console ...)
 	NOT-FOR-US: pam_console
 CVE-2007-1715 (PHP remote file inclusion vulnerability in frontpage.php in Free Image ...)
@@ -610,8 +610,8 @@
 	NOTE: register_globals not supported
 	NOTE: Dupe of CVE-2007-0910
 CVE-2007-1700 (The session extension in PHP 4 before 4.4.5, and PHP 5 before 5.2.1, ...)
-	- php4 <unfixed> (unknown)
-	- php5 <unfixed> (unknown)
+	- php4 <unfixed> (low)
+	- php5 <unfixed> (low)
 	NOTE: Should be fixed, if remotely exploitable
 CVE-2007-1699 (Multiple PHP remote file inclusion vulnerabilities in the SWmenu ...)
 	NOT-FOR-US: Mambo module SWmenu
@@ -1017,9 +1017,10 @@
 CVE-2007-1523 (Heap-based buffer overflow in the kernel in NetBSD 3.0, certain ...)
 	NOT-FOR-US: NetBSD
 CVE-2007-1522 (Double free vulnerability in the session extension in PHP 5.2.0 and ...)
-	- php5 <unfixed>
+	- php5 <unfixed> (medium)
 CVE-2007-1521 (Double free vulnerability in PHP 5.2.1 and earlier allows ...)
-	- php5 <unfixed>
+	- php5 <unfixed> (medium)
+	- php4 <unfixed> (medium)
 CVE-2007-1520 (The cross-site request forgery (CSRF) protection in PHP-Nuke 8.0 does ...)
 	NOT-FOR-US: PHP-Nuke
 CVE-2007-1519 (Cross-site scripting (XSS) vulnerability in modules.php in PHP-Nuke ...)

Modified: data/mopb.txt
===================================================================
--- data/mopb.txt	2007-04-16 19:34:30 UTC (rev 5657)
+++ data/mopb.txt	2007-04-16 21:01:26 UTC (rev 5658)
@@ -8,7 +8,7 @@
 #TODO, needs to be fixed, Sarge not affected
 
 41  PHP 5 sqlite_udf_decode_binary() Buffer Overflow Vulnerability
-TODO for PHP5, not activated in the PHP4 build, possible also a dupe of CVE-2007-0906
+TODO for PHP5, not activated in the PHP4 build, possible also a dupe of CVE-2007-0906, CVE-2007-1887. (php4 & php5, remote code execution)
 
 40  PHP imap_mail_compose() Boundary Stack Buffer Overflow Vulnerability
 # Already fixed in DSA-1264 and the respective PHP4/PHP5 packages, dupe CVE-2007-0906/CVE-2007-1825
@@ -20,37 +20,37 @@
 # Already fixed in DSA-1264 and the respective PHP4/PHP5 packages, dupe CVE-2007-0909/CVE-2007-1884
 
 37  PHP iptcembed() Interruption Information Leak Vulnerability
-#N/A Only triggerable by malicious script
+#N/A Only triggerable by malicious script, CVE-2007-1883 (php4 & php5, local code execution)
 
 36  PHP session.save_path open_basedir Bypass Vulnerability
 #N/A open_basedir bypasses not supported, CVE-2007-1461
 
 35  PHP 4 zip_entry_read() Integer Overflow Vulnerability
-#TODO, needs to be fixed, CVE-2007-1777
+#TODO(medium), needs to be fixed, CVE-2007-1777 (php4, remote code execution)
 
 34  PHP mail() Header Injection Through Subject and To Parameters
-#TODO, needs to be fixed, CVE-2007-1718
+#TODO(medium), needs to be fixed, CVE-2007-1718 (php4 & php5, header injection possible via some MTAs when set to process the headers for recipients)
 
 33  PHP mail() Message ASCIIZ Byte Truncation
-#N/A I don't see how this can become a security problem, CVE-2007-1717
+#TODO(low) applications could end up vulnerable to phishing attacks if attackers injected a nearly correct-looking email content prior to the NULL byte, CVE-2007-1717 (php4 & php5, possible phishing or other impersonation possible, though this problem is really a problem with the application allowing unsanitized inputs)
 
 32  PHP 4.4.5/4.4.6 session_decode() Double Free Vulnerability (U) 
-TODO, needs to be fixed in php/etch, sarge not affected
+TODO(medium), needs to be fixed in php/etch, sarge not affected (php4 4.4.5/4.4.6, remote code execution)
 
 31  PHP _SESSION Deserialization Overwrite Vulnerability
-#N/A register_globals not supported, already fixed in DSA-1264, dupe CVE-2007-0910/CVE-2007-1701
+#N/A register_globals not supported, already fixed in DSA-1264, dupe CVE-2007-0910/CVE-2007-1701 (php4 & php5, very hard to trigger remotely, code execution)
 
 30  PHP _SESSION unset() Vulnerability
-#TODO, CVE-2007-1700
+#TODO(low), hard to trigger remotely, CVE-2007-1700. (php4 & php5, code execution)
 
 29  PHP 5.2.1 unserialize() Information Leak Vulnerability
-#N/A Only affects PHP 5.2.1
+#N/A Only affects PHP 5.2.1 (heap leak via broken "S" unserializer, which should maybe be removed from 5.2.1, since it is only for future compatibility and is totally broken?)
 
 28  PHP hash_update_file() Already Freed Resource Access Vulnerability
-#N/A Only triggerable by malicious script, CVE-2007-1581
+#N/A Only triggerable by malicious script, CVE-2007-1581 (php5, local malicious stream handler leads to code execution)
 
 27  PHP ext/gd Already Freed Resource Access Vulnerability
-#N/A Only triggerable by malicious script, CVE-2007-1582
+#N/A Only triggerable by malicious script, CVE-2007-1582 (php4 & php5, local malicious error handler leads to code execution)
 
 26  PHP mb_parse_str() register_globals Activation Vulnerability
 #TODO(medium) functionally enables register_globals for any future requests, CVE-2007-1583 (php4 & php5, enables stealth register_globals for life of process)
@@ -62,10 +62,10 @@
 #TODO(medium) -> locally exploitable to gain access to process memory (not remote), CVE-2007-1484 (php4 & php5, code execution)
 
 23  PHP 5 Rejected Session Identifier Double Free Vulnerability
-TODO(medium) -> locally exploitable to gain access to process memory, hard to do remotely (php5 5.2.0+, code execution)
+#TODO(medium) -> locally exploitable to gain access to process memory, hard to do remotely, CVE-2007-1522. (php5 5.2.0+, code execution)
 
 22  PHP session_regenerate_id() Double Free Vulnerability
-TODO(medium) -> locally exploitable to gain access to process memory, hard to do remotely (php4 & php5, code execution)
+#TODO(medium) -> locally exploitable to gain access to process memory, hard to do remotely, CVE-2007-1521 (php4 & php5, code execution)
 
 21  PHP compress.bzip2:// URL Wrapper safemode and open_basedir Bypass Vulnerability
 #N/A Safemode and open_basedir bypasses not supported, CVE-2007-1461
@@ -100,7 +100,7 @@
 #N/A -> Ovrimos support not provided in any debian php packages, CVE-2007-1379, CVE-2007-1378
 
 12  mod_security POST Rules Bypass Vulnerability
-N/A -> applies to modsecurity, not packaged for sarge/etch/(sid?)
+#N/A -> applies to modsecurity, not packaged for sarge/etch/(sid?), CVE-2007-1359.
 
 11  PHP WDDX Session Deserialization Information Leak Vulnerability
 #Fixed in DSA-1264. CVE-2007-0908 (php4 & php5, controllable stack leak)
@@ -110,7 +110,7 @@
 Check, to which extent this was covered by our backports of 5.2.1 patches
 
 09  PHP wddx_deserialize() String Append Buffer Overflow Vulnerability
-#N/A -> Only applies to a development version in CVS, not a shipped release
+#N/A -> Only applies to a development version in CVS, not a shipped release, CVE-2007-1381.
 
 08  PHP 4 phpinfo() XSS Vulnerability (Deja-vu)
 N/A -> phpinfo() is a debug function, not be exposed to applications (php4 4.4.3 through 4.4.6 only, phpinfo XSS)

More information about the Secure-testing-commits mailing list