From owner-freebsd-security@FreeBSD.ORG Mon Sep 8 16:34:22 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1AC6D1065671 for ; Mon, 8 Sep 2008 16:34:22 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from QMTA04.westchester.pa.mail.comcast.net (qmta04.westchester.pa.mail.comcast.net [76.96.62.40]) by mx1.freebsd.org (Postfix) with ESMTP id BC90E8FC22 for ; Mon, 8 Sep 2008 16:34:21 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from OMTA11.westchester.pa.mail.comcast.net ([76.96.62.36]) by QMTA04.westchester.pa.mail.comcast.net with comcast id CCBM1a0090mv7h054GJKxc; Mon, 08 Sep 2008 16:18:19 +0000 Received: from koitsu.dyndns.org ([67.180.253.227]) by OMTA11.westchester.pa.mail.comcast.net with comcast id CGJJ1a00L4v8bD73XGJJnu; Mon, 08 Sep 2008 16:18:19 +0000 X-Authority-Analysis: v=1.0 c=1 a=B4vypQ2SMr0A:10 a=6I5d2MoRAAAA:8 a=ue5APn2yAAAA:8 a=QycZ5dHgAAAA:8 a=19ixDgaoKT3zGBaQa_sA:9 a=bNvIoA5fbWoHeNuoB1oA:7 a=JijkwyIQ4i2ipZbQekV1H1IQ_9oA:4 a=EoioJ0NPDVgA:10 a=LY0hPdMaydYA:10 Received: by icarus.home.lan (Postfix, from userid 1000) id 39DC217B84E; Mon, 8 Sep 2008 09:18:18 -0700 (PDT) Date: Mon, 8 Sep 2008 09:18:18 -0700 From: Jeremy Chadwick To: Andrew Storms Message-ID: <20080908161818.GA72963@icarus.home.lan> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd-security@freebsd.org Subject: Re: Question on recent PHP VuXML info X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Sep 2008 16:34:22 -0000 On Mon, Sep 08, 2008 at 08:33:49AM -0700, Andrew Storms wrote: > Not sure if this is the correct place for VuXML questions, but the FreeBSD > VuXML list ( http://lists.freebsd.org/pipermail/freebsd-vuxml/) looks pretty > dead given the last update was in 2007 according to the archives. > > We were previously tracking this entry, which pretty much sat for a while > without an applicable upgradeable resolution available. > > Affected package: php5-posix-5.2.6 > Type of problem: php -- input validation error in posix_access function. > Reference: > .html> > ----------- > > Then late last week, the same VuXML ID started reporting this information > instead: > > Affected package: php5-5.2.6 > Type of problem: php -- input validation error in safe_mode. > Reference: > .html> > ------------ > > The generic question I'm asking is: What happened and why? Seems to me that > if you have a VuXML ID (which, I thought wasn't suppose to be re-used), then > it's name and description shouldn't just apparently change one day. > > So is the prior "php5-posix-5.2.6" and the now "php5-5.2.6" with same ID, > the same bug, a new description, does the newer supercede, etc, etc? Where > can I get the background on what went on here? My initial impression after reading the full disclosures on SecurityFocus is that these two flaws are separate, and should have been given separate VuXML IDs: CVE-2008-2665: http://www.securityfocus.com/bid/29797 CVE-2008-2666: http://www.securityfocus.com/bid/29796 As for the CVS commits under scrutiny, here they are in chronological order: Revision 1.1645 Revision 1.1646 Revision 1.1647 Revision 1.1676 http://www.freebsd.org/cgi/cvsweb.cgi/ports/security/vuxml/vuln.xml -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |