oss-security - Re: Re: NULL byte poisoning fix in php 5.3.4+

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Message-ID: <AANLkTinkG15U9Ciqqx+x5d6p9FozP-xrVPq=d+ePypCP@mail.gmail.com>
Date: Thu, 9 Dec 2010 15:38:00 +0100
From: Pierre Joye <pierre.php@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: Re: NULL byte poisoning fix in php 5.3.4+

On Thu, Dec 9, 2010 at 3:34 PM, Steven M. Christey
<coley@...us.mitre.org> wrote:
>
> On Thu, 9 Dec 2010, Pierre Joye wrote:
>
>> We are about to release 5.2.15 and 5.3.4, can anyone please get an id
>> for this issue?
>
> I just assigned CVE-2006-7243 to the http://bugs.php.net/39863 issue, i.e.
> NULL injection in file_exists() *only*.
>
> However, as already stated, the issue of NULL byte injection with PHP dates
> back to 1999 or so (ouch... I remember that).  If PHP is addressing NULL
> byte injection beyond just file_exists(), then that may need a separate CVE.

We fixed it for all file functions. See the link to the commit for
more details about which codes have been changed. Do we need a CVE for
every function? I hope not :)

Cheers,
-- 
Pierre

@pierrejoye | http://blog.thepimp.net | http://www.libgd.org

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.