Author: keescook-guest
Date: 2007-04-12 00:44:43 +0000 (Thu, 12 Apr 2007)
New Revision: 5651
Modified:
data/CVE/list
data/mopb.txt
Log:
mobp updates, CVE markups to match
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2007-04-11 21:44:23 UTC (rev 5650)
+++ data/CVE/list 2007-04-12 00:44:43 UTC (rev 5651)
@@ -873,7 +873,7 @@
CVE-2007-1585 (The Linksys WAG200G with firmware 1.01.01, WRT54GC 2 with
firmware ...)
NOT-FOR-US: Cisco
CVE-2007-1584 (Buffer underflow in the header function in PHP 5.2.0 allows ...)
- - php5 <unfixed>
+ - php5 <unfixed> (medium)
CVE-2007-1583 (The mb_parse_str function in PHP 4.0.0 through 4.4.6 and 5.0.0
through ...)
- php5 <unfixed> (medium)
- php4 <unfixed> (medium)
@@ -1107,9 +1107,9 @@
CVE-2007-1485 (** DISPUTED ** ...)
NOT-FOR-US: LIBFtp
CVE-2007-1484 (The array_user_key_compare function in PHP 4.4.6 and earlier,
and 5.x ...)
- - php4 <unfixed> (unimportant)
- - php5 <unfixed> (unimportant)
- NOTE: Internal function, only triggerable by malicious script
+ - php4 <unfixed> (medium)
+ - php5 <unfixed> (medium)
+ NOTE: local malicious scripts only, but allows arbitrary process memory
access
CVE-2007-1483 (Multiple PHP remote file inclusion vulnerabilities in
WebCalendar ...)
- webcalendar <unfixed> (high)
NOTE: Requested removal from the archive
@@ -1178,7 +1178,7 @@
CVE-2007-1453 (Buffer underflow in the PHP_FILTER_TRIM_DEFAULT macro in the
filtering ...)
- php5 <unfixed> (medium)
CVE-2007-1452 (The FDF support (ext/fdf) in PHP 5.2.0 and earlier does not
implement ...)
- - php5 <unfixed>
+ - php5 <unfixed> (low)
CVE-2007-1451 (GuppY 4.0 allows remote attackers to delete arbitrary files via
a ...)
NOT-FOR-US: GuppY
CVE-2007-1450 (SQL injection vulnerability in mainfile.php in PHP-Nuke 8.0 and
...)
@@ -1317,7 +1317,7 @@
CVE-2007-1400 (Plash permits sandboxed processes to open /dev/tty, which
allows local ...)
NOT-FOR-US: Plash
CVE-2007-1399 (Stack-based buffer overflow in the zip:// URL wrapper in PECL
ZIP ...)
- - php5 <not-affected> (Vulnerable code not present)
+ - php5 <unfixed> (medium)
CVE-2007-1398 (The frag3 preprocessor in Snort 2.6.1.1, 2.6.1.2, and 2.7.0
beta, when ...)
- snort <not-affected> (Vulnerable code not present)
CVE-2007-1397 (Multiple stack-based buffer overflows in the (1) ExtractRnick
and (2) ...)
@@ -1359,8 +1359,8 @@
CVE-2007-1381 (The wddx_deserialize function in wddx.c in PHP CVS as of
20070304 ...)
- php5 <not-affected> (Affected only a php5 CVS version, not a release)
CVE-2007-1380 (The php_binary serialization handler in the session extension
in PHP ...)
- - php4 <unfixed>
- - php5 <unfixed>
+ - php4 <unfixed> (low)
+ - php5 <unfixed> (low)
CVE-2007-1379 (The ovrimos_close function in the Ovrimos extension for PHP
before ...)
- php4 <not-affected> (Ovrimus support not included in Debian's PHP
packages)
CVE-2007-1378 (The ovrimos_longreadlen function in the Ovrimos extension for
PHP ...)
@@ -1371,7 +1371,7 @@
- php4 <unfixed> (medium)
- php5 <unfixed> (medium)
CVE-2007-1375 (Integer overflow in the substr_compare function in PHP 5.2.1
and ...)
- - php5 <unfixed> (medium)
+ - php5 <unfixed> (low)
NOTE: Should be fixed, could be used as a stepstone for further attacks
CVE-2007-1374 (Cross-site scripting (XSS) vulnerability in pop_profile.asp in
Snitz ...)
NOT-FOR-US: Snitz Forums
Modified: data/mopb.txt
===================================================================
--- data/mopb.txt 2007-04-11 21:44:23 UTC (rev 5650)
+++ data/mopb.txt 2007-04-12 00:44:43 UTC (rev 5651)
@@ -54,19 +54,19 @@
#N/A Only triggerable by malicious script, CVE-2007-1582
26 PHP mb_parse_str() register_globals Activation Vulnerability
-#TODO Should be fixed, CVE-2007-1583
+#TODO(medium) functionally enables register_globals for any future requests,
CVE-2007-1583 (php4 & php5, enables stealth register_globals for life of
process)
25 PHP header() Space Trimming Buffer Underflow Vulnerability
-#TODO Should be fixed for PHP5, Sarge is not affected, CVE-2007-1584
+#TODO(medium) -> Should be fixed for PHP5, Sarge is not affected,
CVE-2007-1584 (php5 5.2.0 only, code execution on big endian)
24 PHP array_user_key_compare() Double DTOR Vulnerability
-#N/A Internal function, only triggerable by malicious script, CVE-2007-1484
+#TODO(medium) -> locally exploitable to gain access to process memory (not
remote), CVE-2007-1484 (php4 & php5, code execution)
23 PHP 5 Rejected Session Identifier Double Free Vulnerability
-TODO It's not yet clear, whether this can be exploited from a remote attacker
+TODO(medium) -> locally exploitable to gain access to process memory, hard to
do remotely (php5 5.2.0+, code execution)
22 PHP session_regenerate_id() Double Free Vulnerability
-TODO It's not yet clear, whether this can be exploited from a remote attacker
+TODO(medium) -> locally exploitable to gain access to process memory, hard to
do remotely (php4 & php5, code execution)
21 PHP compress.bzip2:// URL Wrapper safemode and open_basedir Bypass
Vulnerability
#N/A Safemode and open_basedir bypasses not supported, CVE-2007-1461
@@ -75,43 +75,45 @@
#N/A Safemode and open_basedir bypasses not supported, CVE-2007-1460
19 PHP ext/filter Space Trimming Buffer Underflow Vulnerability
-#TODO for PHP5. Sarge not affected. CVE-2007-1453
+#TODO(medium) for PHP5. Sarge not affected. CVE-2007-1453 (php5 5.2.0 only,
code execution on big endian)
18 PHP ext/filter HTML Tag Stripping Bypass Vulnerability
-#TODO for PHP5. Sarge not affected. CVE-2007-1453
+#TODO(medium) for PHP5. Sarge not affected. CVE-2007-1453 (php5 5.2.0 only,
can avoid filters)
17 PHP ext/filter FDF Post Bypass Vulnerability
-#TODO(low) -> ...or possibly "broken as designed". CVE-2007-1452, Sarge is not
affected.
+#TODO(low) -> ...or possibly "broken as designed". CVE-2007-1452, Sarge is not
affected. (php5 5.2.0 only, can avoid filters)
16 PHP zip:// URL Wrapper Buffer Overflow Vulnerability
-TODO, CVE-2007-1399, is the affected zip extension activated in the PHP build?
- According to the Security Tracker it's not built? -jmm
+#TODO(medium) -> possible remote data can result in code execution in 5.2.0
which uses the zip handler, CVE-2007-1399. (php5 5.2.0 only, code execution)
15 PHP shmop Functions Resource Verification Vulnerability
-TODO(medium) -> user-supplied data could be used to read/write arbitrary
memory, CVE-2007-1376
+#TODO(medium) -> user-supplied data could be used to read/write arbitrary
memory, CVE-2007-1376 (php4 & php5, arbitrary memory leakage)
AFAICS this can only be triggered by malicious script and thus doesn't fall
under our
PHP security policy? -jmm
+ Leaking SSL private keys from an Apache server is something a "normal" PHP
+ script is unable to do. If tiny memory leaks like MOPB 10, 11, and 14 are
+ going to be fixed, this one certainly should be fixed too. -kees
14 PHP substr_compare() Information Leak Vulnerability
-#TODO -> corner-case where length+offset > INT_MAX, CVE-2007-1375
+#TODO(low) -> corner-case where length+offset > INT_MAX, CVE-2007-1375 (php5,
heap leak)
13 PHP 4 Ovrimos Extension Multiple Vulnerabilities
-N/A -> Ovrimos support not provided in any debian php packages, CVE-2007-1379,
CVE-2007-1378
+#N/A -> Ovrimos support not provided in any debian php packages,
CVE-2007-1379, CVE-2007-1378
12 mod_security POST Rules Bypass Vulnerability
N/A -> applies to modsecurity, not packaged for sarge/etch/(sid?)
11 PHP WDDX Session Deserialization Information Leak Vulnerability
-#Fixed in DSA-1264. CVE-2007-0908
+#Fixed in DSA-1264. CVE-2007-0908 (php4 & php5, controllable stack leak)
10 PHP php_binary Session Deserialization Information Leak Vulnerability
-#TODO(low) -> Can only leak 127 bytes of data, CVE-2007-1380
+#TODO(low) -> Can only leak 127 bytes of data, CVE-2007-1380 (php4 & php5,
heap leak)
09 PHP wddx_deserialize() String Append Buffer Overflow Vulnerability
#N/A -> Only applies to a development version in CVS, not a shipped release
08 PHP 4 phpinfo() XSS Vulnerability (Deja-vu)
-N/A -> phpinfo() is a debug function, not be exposed to applications
+N/A -> phpinfo() is a debug function, not be exposed to applications (php4
4.4.3 through 4.4.6 only, phpinfo XSS)
07 Zend Platform ini_modifier Local Root Vulnerability (B)
N/A -> Only affects the Zend platform
@@ -120,18 +122,18 @@
N/A -> Only affects the Zend platform
05 PHP unserialize() 64 bit Array Creation Denial of Service Vulnerability
-#Fixed in DSA-1264. CVE-2007-0988
+#Fixed in DSA-1264. CVE-2007-0988 (php4 & php5, limited-time 100% CPU DoS)
04 PHP 4 unserialize() ZVAL Reference Counter Overflow
-TODO(medium) -> Arguably an app bug, but we should probably grab the fix anyway
+TODO(medium) -> Arguably an app bug, but we should probably grab the fix
anyway (php4 only, gain execute control)
03 PHP Variable Destructor Deep Recursion Stack Overflow
-#N/A -> Applications need to impose sanity checks for maximum recursion,
CVE-2007-1285
+#N/A -> Applications need to impose sanity checks for maximum recursion,
CVE-2007-1285 (php4 & php5, crash only)
02 PHP Executor Deep Recursion Stack Overflow
-N/A -> Applications need to impose sanity checks for maximum recursion
+#N/A -> Applications need to impose sanity checks for maximum recursion,
CVE-2006-1549 (php4 & php5, crash only)
01 PHP 4 Userland ZVAL Reference Counter Overflow Vulnerability
-#N/A -> Only triggerable by malicious script, CVE-2007-1383
+#N/A -> Only triggerable by malicious script, CVE-2007-1383 (php4 only, gain
execute control)
(Comments starting with # indicate that information has been fed to the
tracker)
_______________________________________________
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
