Date: Tue, 18 Nov 2008 17:04:29 +0300 From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> To: Jille Timmermans <jille@quis.cx>, cve@mitre.org, coley@mitre.org Cc: freebsd-security@freebsd.org, bug-followup@freebsd.org Subject: Re: ports/128956: [patch] [vuxml] multiple vulnerabilities in PHP 5.2.6 Message-ID: <9a6isDG2HABVFiTQKRYgHLbugj0@N7cbPDipnvOyJMD9YzFbYf8QNqE> In-Reply-To: <4922B6F9.2000408@quis.cx> References: <20081118103433.38D5817115@shadow.codelabs.ru> <4922B371.6070002@quis.cx> <TqoTo5jliabZzOUld/zrRy5vtzI@%2BC9avPjAe6kfv7rH%2BxyHzR2RFw8> <4922B6F9.2000408@quis.cx>
next in thread | previous in thread | raw e-mail | index | archive | help
--7cm2iqirTL37Ot+N Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Steven, CVE-supporters, good day. Today I was submitted FreeBSD's VuXML entry for CVE-2008-3659 and it seem to be errorneously saying about "PHP 5.6". Could you please try to follow the discuission and say something about the entry's description text? Tue, Nov 18, 2008 at 01:37:13PM +0100, Jille Timmermans wrote: > "PHP 5.2 through 5.2.6" makes the most sense. > However, "PHP 5.1 through" or even "PHP 5 through" are also possible. I had glanced over the PHP's CVS repository: the code in question exists even for the PHP 5.0 branchpoint (source line 128 and below): http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_operators.h?revision=3D1.8= 8&view=3Dmarkup&pathrev=3DPHP_5_0 My built-in history tracer tells me the following story: 1. Current code traces back to the zend_operators.h, rev 1.72, http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_operators.h?view=3Dlog#re= v1.72 2. The function was moved to ZendEngine2/zend_operators.h from ext/standard/php_string.h, rev 1.74, http://cvs.php.net/viewvc.cgi/php-src/ext/standard/php_string.h?view=3Dl= og#rev1.74 3. Vulnerable code seem to be here since rev 1.40: http://cvs.php.net/viewvc.cgi/php-src/ext/standard/php_string.h?r1=3D1.3= 9&r2=3D1.40&view=3Dpatch So the issue seem to be here since some 4.0.x or even 3.x. > I don't know much about CVE's; can we provide them feedback for this typo= ? > > I think the best is to wait for the CVE to get fixed and fix it > in the vuxml entry afterwards. Yes, it will be the best thing. So, gentlemen from the CVE maintainers team, it seems that the entry for the CVE-2008-3659 should be fixed by saying "PHP 5 through 5.2.6" -- the bug seem to be existed all over the lifetime for the 5.x branch. > I think you also had that plan ;) Sort of ;)) Thanks to everyone! --=20 Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual =20 )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook=20 {_.-``-' {_/ # --7cm2iqirTL37Ot+N Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkkiy20ACgkQthUKNsbL7Yi4PwCfQ1n6v3nAn72NdSfacmsViTIN vKMAn120byLkVy96wnH1WxvkYSA30xiv =6RCr -----END PGP SIGNATURE----- --7cm2iqirTL37Ot+N--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9a6isDG2HABVFiTQKRYgHLbugj0>