Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: <cve-assign-AZamIotjMK3YtjvyW6yDsg <at> public.gmane.org>
Subject: Re: php header() header injection detection bypass
Newsgroups: gmane.comp.security.oss.general
Date: Tuesday 4th September 2012 19:02:25 UTC (over 5 years ago)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> - 5.3.11, https://github.com/php/php-src/blob/704bbb3263d0ec9a6b4a767bbc516e55388f4b0e/main/SAPI.c#L593
>   has the issue completely fixed

Note that, in the
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1398
entry, the
affected versions are "PHP before 5.3.11." (We do know that 5.3.11
was released about 2 months after 5.4.0.)

>This is perfect, thanks. Please use CVE-2012-4388 for the incomplete
>fix for CVE-2011-1398.

There may be a difference in terminology here. Some CVE entries have a
"NOTE: this vulnerability exists because of an incomplete fix for
CVE-####-####." sentence. This means that a product originally had a
vulnerability (for example, CVE-AAAA-BBBB) that had vectors V1 and V2
in version X.Y. Then, a new version X.Z was released in which a code
change prevented exploitation through vector V1, but still allowed
exploitation through vector V2. Here, a new CVE (for example,
CVE-CCCC-DDDD) is needed because vector V2 is now known to have
different affected versions than vector V1. The CVE-CCCC-DDDD
description would mention "vulnerability in X.Z ... via V2 ... NOTE:
this vulnerability exists because of an incomplete fix for
CVE-AAAA-BBBB."

In the current situation, CVE-2011-1398 will probably be modified soon
to have a "NOTE: this vulnerability exists because of an incomplete
fix for CVE-####-####." sentence. However, unless another related
vulnerability is discovered in the future, there won't be any CVE
entry with a "NOTE: this vulnerability exists because of an incomplete
fix for CVE-2011-1398." sentence. Because of this, "Please use
CVE-2012-4388 for the incomplete fix for CVE-2011-1398" is potentially
confusing to some people.

Although a vulnerability statement such as "First one still has the
possibility of injecting '\r' before the first '\n'" can be associated
with the concept of an incomplete fix, MITRE does not consider the fix
to be an "incomplete fix for" a different CVE (that references a
better patch). In our terminology, the "incomplete fix for" phrase is
only used for pointers in the opposite direction. And, of course, CVEs
are assigned to vulnerabilities, not to fixes.

>The second one kills the protection for the NUL byte check, so it won't
>allow header splitting for Apache SAPI, but FastCGI stuff will be
affected,

A mostly unrelated comment is that MITRE doesn't associate the
"incomplete fix" concept with this "kills the protection for the NUL
byte check" issue. A code change occurred during the process of trying
to fix a vulnerability, but the effect of the code change was to
introduce a different vulnerability.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html
]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (SunOS)

iQEcBAEBAgAGBQJQRk5FAAoJEGvefgSNfHMdQFoIAMBTeZtPoZHxY1a3UtCkV6H0
cB8//BTAhm60tUjoaR9YE+VOYYxkPqLAzGG/U0Mv+Zg4atOBAv6i2YZdsDnt6Pih
+13H2jv1GGtbqBeLu69b9b+9ehrLNJ1tcrQCJEMOFBtZqvTBh7do5m8pRBsUjjNp
zVWdBaz3/ISm0SiNbQ2GRY6kqc169mhh56cJ8vPpG1ZNP7xSzTgQtPR+o5+DbV84
30BAp97kwykdc5EBsRqaAA5ZRvCVSHNl0Hz9YD/9YGDJN3KOxJSys0hPuloEFk/B
Exaa5VdrPearyf0U+HdiJ+ZFwGiqNIrZqfbE8iO+mP8SfS9hiltHTEhhMJlsw0o=
=9KKK
-----END PGP SIGNATURE-----
 
CD: 4ms