[Secure-testing-commits] r5672 - data

Moritz Muehlenhoff jmm-guest at alioth.debian.org
Wed Apr 18 21:01:35 UTC 2007 

Author: jmm-guest
Date: 2007-04-18 21:01:34 +0000 (Wed, 18 Apr 2007)
New Revision: 5672

Modified:
   data/mopb.txt
Log:
reorg for better overview


Modified: data/mopb.txt
===================================================================
--- data/mopb.txt	2007-04-18 21:00:24 UTC (rev 5671)
+++ data/mopb.txt	2007-04-18 21:01:34 UTC (rev 5672)
@@ -4,30 +4,12 @@
 44  PHP 5.2.0 Memory Manager Signed Comparision Vulnerability
 #TODO(medium) -> remotely exploitable via SOAP interfaces, CVE-2007-1889 (php5 5.2.0 only)
 
-43  PHP msg_receive() Memory Allocation Integer Overflow Vulnerabilty
-#N/A -> Only triggerable by malicious script, CVE-2007-1890 (php4 & php5, local code execution, possibly FreeBSD only)
-
 42  PHP 5 php_stream_filter_create() Off By One Vulnerablity
 #TODO(medium) -> needs to be fixed, Sarge not affected, CVE-2007-1824 (php5, remote code execution, though haven't reproduced it)
 
 41  PHP 5 sqlite_udf_decode_binary() Buffer Overflow Vulnerability
 #TODO(medium) -> for PHP5, not activated in the PHP4 build, CVE-2007-1887. (php4 & php5, remote code execution)
 
-40  PHP imap_mail_compose() Boundary Stack Buffer Overflow Vulnerability
-#Fixed in DSA-1264 and the respective PHP4/PHP5 packages, dupe CVE-2007-0906/CVE-2007-1825
-
-39  PHP str_replace() Memory Allocation Integer Overflow Vulnerability
-#Fixed in DSA-1264 and the respective PHP4/PHP5 packages, dupe CVE-2007-0906/CVE-2007-1885
-
-38  PHP printf() Family 64 Bit Casting Vulnerabilities
-#Fixed in DSA-1264 and the respective PHP4/PHP5 packages, dupe CVE-2007-0909/CVE-2007-1884
-
-37  PHP iptcembed() Interruption Information Leak Vulnerability
-#N/A -> Only triggerable by malicious script, CVE-2007-1883 (php4 & php5, local code execution)
-
-36  PHP session.save_path open_basedir Bypass Vulnerability
-#N/A -> open_basedir bypasses not supported, CVE-2007-1461
-
 35  PHP 4 zip_entry_read() Integer Overflow Vulnerability
 #TODO(medium) -> needs to be fixed, CVE-2007-1777 (php4, remote code execution)
 
@@ -39,28 +21,14 @@
 
 32  PHP 4.4.5/4.4.6 session_decode() Double Free Vulnerability (U) 
 TODO(medium) -> needs to be fixed in php/etch, sarge not affected (php4 4.4.5/4.4.6, remote code execution)
+[MOPB-32-php4.diff]
 
-31  PHP _SESSION Deserialization Overwrite Vulnerability
-#N/A -> register_globals not supported, already fixed in DSA-1264, dupe CVE-2007-0910/CVE-2007-1701 (php4 & php5, very hard to trigger remotely, code execution)
-
 30  PHP _SESSION unset() Vulnerability
 #TODO(low) -> hard to trigger remotely, CVE-2007-1700. (php4 & php5, code execution)
 
-29  PHP 5.2.1 unserialize() Information Leak Vulnerability
-#N/A -> Only affects PHP 5.2.1 (heap leak via broken "S" unserializer, which should maybe be removed from 5.2.1, since it is only for future compatibility and is totally broken?)
-
-28  PHP hash_update_file() Already Freed Resource Access Vulnerability
-#N/A -> Only triggerable by malicious script, CVE-2007-1581 (php5, local malicious stream handler leads to code execution)
-
-27  PHP ext/gd Already Freed Resource Access Vulnerability
-#N/A -> Only triggerable by malicious script, CVE-2007-1582 (php4 & php5, local malicious error handler leads to code execution)
-
 26  PHP mb_parse_str() register_globals Activation Vulnerability
 #TODO(medium) -> functionally enables register_globals for any future requests, CVE-2007-1583 (php4 & php5, enables stealth register_globals for life of process)
 
-25  PHP header() Space Trimming Buffer Underflow Vulnerability
-#Fixed in Etch as part of the 5.2.1 backport, dupe CVE-2007-0907/CVE-2007-1584
-
 24  PHP array_user_key_compare() Double DTOR Vulnerability
 N/A Only triggerable by malicious script, CVE-2007-1484 (php4 & php5, code execution)
 
@@ -69,13 +37,8 @@
 
 22  PHP session_regenerate_id() Double Free Vulnerability
 #TODO(medium) -> locally exploitable to gain access to process memory, hard to do remotely, CVE-2007-1521 (php4 & php5, code execution)
+[MOPB-22-php4.diff]
 
-21  PHP compress.bzip2:// URL Wrapper safemode and open_basedir Bypass Vulnerability
-#N/A -> Safemode and open_basedir bypasses not supported, CVE-2007-1461
-
-20  PHP zip:// URL Wrapper safemode and open_basedir Bypass Vulnerability
-#N/A Safemode and open_basedir bypasses not supported, CVE-2007-1460
-
 19 PHP ext/filter Space Trimming Buffer Underflow Vulnerability
 #TODO(medium) -> for PHP5. Sarge not affected. CVE-2007-1453 (php5 5.2.0 only, code execution on big endian)
 
@@ -88,12 +51,62 @@
 16  PHP zip:// URL Wrapper Buffer Overflow Vulnerability
 #TODO(medium) -> possible remote data can result in code execution in 5.2.0 which uses the zip handler, CVE-2007-1399. (php5 5.2.0 only, code execution)
 
+14  PHP substr_compare() Information Leak Vulnerability
+#TODO(low) -> corner-case where length+offset > INT_MAX, CVE-2007-1375 (php5, heap leak)
+
+10  PHP php_binary Session Deserialization Information Leak  Vulnerability
+#TODO(low) -> Can only leak 127 bytes of data, CVE-2007-1380 (php4 & php5, heap leak)
+Check, to which extent this was covered by our backports of 5.2.1 patches
+
+04  PHP 4 unserialize() ZVAL Reference Counter Overflow
+TODO (php4 only, gain execute control)
+[MOPB-04-php4.diff]
+
+
+Done or resolved:
+
+43  PHP msg_receive() Memory Allocation Integer Overflow Vulnerabilty
+#N/A -> Only triggerable by malicious script, CVE-2007-1890 (php4 & php5, local code execution, possibly FreeBSD only)
+
+40  PHP imap_mail_compose() Boundary Stack Buffer Overflow Vulnerability
+#Fixed in DSA-1264 and the respective PHP4/PHP5 packages, dupe CVE-2007-0906/CVE-2007-1825
+
+39  PHP str_replace() Memory Allocation Integer Overflow Vulnerability
+#Fixed in DSA-1264 and the respective PHP4/PHP5 packages, dupe CVE-2007-0906/CVE-2007-1885
+
+38  PHP printf() Family 64 Bit Casting Vulnerabilities
+#Fixed in DSA-1264 and the respective PHP4/PHP5 packages, dupe CVE-2007-0909/CVE-2007-1884
+
+37  PHP iptcembed() Interruption Information Leak Vulnerability
+#N/A -> Only triggerable by malicious script, CVE-2007-1883 (php4 & php5, local code execution)
+
+36  PHP session.save_path open_basedir Bypass Vulnerability
+#N/A -> open_basedir bypasses not supported, CVE-2007-1461
+
+31  PHP _SESSION Deserialization Overwrite Vulnerability
+#N/A -> register_globals not supported, already fixed in DSA-1264, dupe CVE-2007-0910/CVE-2007-1701 (php4 & php5, very hard to trigger remotely, code execution)
+
+29  PHP 5.2.1 unserialize() Information Leak Vulnerability
+#N/A -> Only affects PHP 5.2.1 (heap leak via broken "S" unserializer, which should maybe be removed from 5.2.1, since it is only for future compatibility and is totally broken?)
+
+28  PHP hash_update_file() Already Freed Resource Access Vulnerability
+#N/A -> Only triggerable by malicious script, CVE-2007-1581 (php5, local malicious stream handler leads to code execution)
+
+27  PHP ext/gd Already Freed Resource Access Vulnerability
+#N/A -> Only triggerable by malicious script, CVE-2007-1582 (php4 & php5, local malicious error handler leads to code execution)
+
+25  PHP header() Space Trimming Buffer Underflow Vulnerability
+#Fixed in Etch as part of the 5.2.1 backport, dupe CVE-2007-0907/CVE-2007-1584
+
+21  PHP compress.bzip2:// URL Wrapper safemode and open_basedir Bypass Vulnerability
+#N/A -> Safemode and open_basedir bypasses not supported, CVE-2007-1461
+
+20  PHP zip:// URL Wrapper safemode and open_basedir Bypass Vulnerability
+#N/A Safemode and open_basedir bypasses not supported, CVE-2007-1460
+
 15  PHP shmop Functions Resource Verification Vulnerability
 N/A Only triggerable by malicious script, could be used to read/write arbitrary memory, CVE-2007-1376 (php4 & php5, arbitrary memory leakage)
 
-14  PHP substr_compare() Information Leak Vulnerability
-#TODO(low) -> corner-case where length+offset > INT_MAX, CVE-2007-1375 (php5, heap leak)
-
 13  PHP 4 Ovrimos Extension Multiple Vulnerabilities
 #N/A -> Ovrimos support not provided in any debian php packages, CVE-2007-1379, CVE-2007-1378
 
@@ -103,10 +116,6 @@
 11  PHP WDDX Session Deserialization Information Leak Vulnerability
 #Fixed in DSA-1264. CVE-2007-0908 (php4 & php5, controllable stack leak)
 
-10  PHP php_binary Session Deserialization Information Leak  Vulnerability
-#TODO(low) -> Can only leak 127 bytes of data, CVE-2007-1380 (php4 & php5, heap leak)
-Check, to which extent this was covered by our backports of 5.2.1 patches
-
 09  PHP wddx_deserialize() String Append Buffer Overflow Vulnerability
 #N/A -> Only applies to a development version in CVS, not a shipped release, CVE-2007-1381.
 
@@ -122,9 +131,6 @@
 05  PHP unserialize() 64 bit Array Creation Denial of Service  Vulnerability
 #Fixed in DSA-1264. CVE-2007-0988 (php4 & php5, limited-time 100% CPU DoS)
 
-04  PHP 4 unserialize() ZVAL Reference Counter Overflow
-TODO(medium) -> Arguably an app bug, but we should probably grab the fix anyway (php4 only, gain execute control)
-
 03  PHP Variable Destructor Deep Recursion Stack Overflow
 #N/A -> Applications need to impose sanity checks for maximum recursion, CVE-2007-1285 (php4 & php5, crash only)
 
@@ -134,4 +140,8 @@
 01  PHP 4 Userland ZVAL Reference Counter Overflow Vulnerability
 #N/A -> Only triggerable by malicious script, CVE-2007-1383 (php4 only, gain execute control)
 
+
+
+
 (Comments starting with # indicate that information has been fed to the tracker)
+(Comments starting with TOFIX indicate that a patch has been created or extracted)

More information about the Secure-testing-commits mailing list