Re: Re: php header() header injection detection bypass

[Raphael Geissert <geissert () debian org>]

On Wednesday 05 September 2012 12:05:43 cve-assign () mitre org wrote:
[...]
> In the actual situation, the
> https://bugs.php.net/patch-display.php?bug_id=60227&patch=SAPI.diff&revis
> ion=1320563128 patch had a logic flaw related to the "((p = memchr(s,
> '\n', (e - s))) || (p = memchr(s, '\r', (e - s))))" expression. MITRE
> prefers to categorize this type of situation as an "incorrect fix" not an
> "incomplete fix." Admittedly, for many CVE users it doesn't matter.

You are indeed right, it is is better to categorize it as an incorrect fix.

> Note 2: We probably haven't found the exact affected 5.4.0RC versions,
> but this doesn't matter much because those versions aren't widely
> used. Specifically, we don't know whether there's a supported download
> location for every pre-release version that ever existed, but we
> happened to find the http://php.marvel.strk.jp/archive/ directory.
> Here, 5.4.0alpha3 (August 2011) does not check for '\r' at all,
> whereas 5.4.0RC2 (December 2011) can check for '\r' but has the
> above-mentioned logic flaw. This is consistent with the 2011-11-06 SVN
> date listed in bug 60227.

Since RCs and alphas are published in user dirs, and not in the main release 
system, I don't think they are actively archived.

However, taking a look at the 5.4.0RC1 tag in git, it seems the issue was 
indeed introduced in RC2:
https://github.com/php/php-src/blob/php-5.4.0RC1/main/SAPI.c#L715
And to confirm it in RC2:
https://github.com/php/php-src/blob/php-5.4.0RC2/main/SAPI.c#L715

Regards,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net