full-disclosure-uk May 2007 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: [Full-disclosure] [OpenPKG-SA-2007.019] Open

[Full-disclosure] [OpenPKG-SA-2007.019] OpenPKG Security Advisory (php)

From: OpenPKG GmbH <openpkg-noreply_at_nospam>
Date: Fri May 25 2007 - 17:59:52 GMT
To: full-disclosure@lists.grok.org.uk


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Publisher Name: OpenPKG GmbH Publisher Home: http://openpkg.com/ Advisory Id (public): OpenPKG-SA-2007.019 Advisory Type: OpenPKG Security Advisory (SA) Advisory Directory: http://openpkg.com/go/OpenPKG-SA Advisory Document: http://openpkg.com/go/OpenPKG-SA-2007.019 Advisory Published: 2007-05-25 19:56 UTC Issue Id (internal): OpenPKG-SI-20070518.04 Issue First Created: 2007-05-18 Issue Last Modified: 2007-05-25 Issue Revision: 04 ____________________________________________________________________________ Subject Name: php Subject Summary: Programming Language Subject Home: http://www.php.net/ Subject Versions: * <= 5.2.2 Vulnerability Id: CVE-2007-1380, CVE-2007-1375, CVE-2007-1376, CVE-2007-1521, CVE-2007-1484, CVE-2007-1583, CVE-2007-1700, CVE-2007-1718, CVE-2007-1461, CVE-2007-1887, CVE-2007-1888, CVE-2007-1717, CVE-2007-1835, CVE-2007-1890, CVE-2007-1824 Vulnerability Scope: global (not OpenPKG specific) Attack Feasibility: run-time Attack Vector: local system, remote network Attack Impact: denial of service, exposure of sensitive information, manipulation of data, arbitrary code execution

Description:

    Steffan Esser published "the Month of PHP Bugs" [0] and revealed     multiple vulnerabilities regarding the programming language PHP [1].     According to a vendor release announcement [0], many of the issues     were fixed [2] in version 5.2.2. Fixes that apply to the OpenPKG     Enterprise 1 packages were extraced and backported.     

    The php_binary serialization handler in the session extension in     PHP before 4.4.5, and 5.x before 5.2.1, allows context-dependent     attackers to obtain sensitive information (memory contents) via a     serialized variable entry with a large length value, which triggers     a buffer over-read.
(CVE-2007-1380, MOPB-10-2007)
         Integer overflow in the substr_compare function in PHP 5.2.1 and     earlier allows context-dependent attackers to read sensitive memory     via a large value in the length argument, a different vulnerability     than CVE-2006-1991.
(CVE-2007-1375, MOPB-14-2007)
         The shmop functions in PHP before 4.4.5, and before 5.2.1 in the 5.x     series, do not verify that their arguments correspond to a shmop     resource, which allows context-dependent attackers to read and     write arbitrary memory locations via arguments associated with an     inappropriate resource, as demonstrated by a GD Image resource.
(CVE-2007-1376, MOPB-15-2007)
         Double free vulnerability in PHP before 4.4.7, and 5.x before 5.2.2,     allows context-dependent attackers to execute arbitrary code by     interrupting the session_regenerate_id function, as demonstrated     by calling a userspace error handler or triggering a memory limit     violation.
(CVE-2007-1521, MOPB-22-2007)
         The array_user_key_compare function in PHP 4.4.6 and earlier, and     5.x up to 5.2.1, makes erroneous calls to zval_dtor, which triggers     memory corruption and allows local users to bypass safe_mode     and execute arbitrary code via a certain unset operation after     array_user_key_compare has been called.
(CVE-2007-1484, MOPB-24-2007)
         The mb_parse_str function in PHP 4.0.0 through 4.4.6 and 5.0.0     through 5.2.1 sets the internal register_globals flag and does     not disable it in certain cases when a script terminates, which     allows remote attackers to invoke available PHP scripts with     register_globals functionality that is not detectable by these     scripts, as demonstrated by forcing a memory_limit violation.
(CVE-2007-1583, MOPB-26-2007)
         The session extension in PHP 4 before 4.4.5, and PHP 5 before     5.2.1, calculates the reference count for the session variables     without considering the internal pointer from the session globals,     which allows context-dependent attackers to execute arbitrary     code via a crafted string in the session_register after unsetting     HTTP_SESSION_VARS and _SESSION, which destroys the session data     Hashtable.
(CVE-2007-1700, MOPB-30-2007)
         CRLF injection vulnerability in the mail function in PHP 4.0.0     through 4.4.6 and 5.0.0 through 5.2.1 allows remote attackers to     inject arbitrary e-mail headers and possibly conduct spam attacks     via a control character immediately following folding of the
(1) Subject or (2) To parameter, as demonstrated by a parameter
    containing a "\r\n\t\n" sequence, related to an increment bug in the     SKIP_LONG_HEADER_SEP macro.
(CVE-2007-1718, MOPB-34-2007)
         The compress.bzip2:// URL wrapper provided by the bz2 extension in     PHP before 4.4.7, and 5.x before 5.2.2, does not implement safemode     or open_basedir checks, which allows remote attackers to read bzip2     archives located outside of the intended directories.
(CVE-2007-1461, MOPB-21-2007)
         Buffer overflow in the sqlite_decode_binary function in the bundled     sqlite library in PHP 4 before 4.4.5 and PHP 5 before 5.2.1 allows     context-dependent attackers to execute arbitrary code via an     empty value of the in parameter, as demonstrated by calling the     sqlite_udf_decode_binary function with a 0x01 character. OpenPKG     integrated a patch from Debian which modifies PHP not SQLite, fixing     use of internal or external SQLite.
(CVE-2007-1887, MOPB-41-2007)
         The mail function in PHP 4.0.0 through 4.4.6 and 5.0.0 through     5.2.1 truncates e-mail messages at the first ASCIIZ ('\0') byte,     which might allow context-dependent attackers to prevent intended     information from being delivered in e-mail messages. This issue     might be security-relevant in cases when the trailing contents of     e-mail messages are important, such as logging information or if the     message is expected to be well-formed.
(CVE-2007-1717, MOPB-33-2007)
         PHP 4 before 4.4.5 and PHP 5 before 5.2.1, when using an empty     session save path (session.save_path), uses the TMPDIR default     after checking the restrictions, which allows local users to bypass     open_basedir restrictions.
(CVE-2007-1835, MOPB-36-2007)
         Integer overflow in the msg_receive function in PHP 4 before 4.4.5     and PHP 5 before 5.2.1, on FreeBSD and possibly other platforms,     allows context-dependent attackers to execute arbitrary code via     certain maxsize values, as demonstrated by 0xffffffff.
(CVE-2007-1890, MOPB-43-2007)
         Buffer overflow in the php_stream_filter_create function in PHP 5     before 5.2.1 allows remote attackers to cause a denial of service
(application crash) via a php://filter/ URL that has a name ending
    in the '.' character.
(CVE-2007-1824, MOPB-42-2007)
References: [0] http://www.php-security.org/ [1] http://www.php.net/ [2] http://www.php.net/releases/5_2_2.php ____________________________________________________________________________

Primary Package Name: php
Primary Package Home: http://openpkg.org/go/package/php

Corrected Distribution: Corrected Branch: Corrected Package: OpenPKG Enterprise E1.0-SOLID apache-1.3.37-E1.0.5 OpenPKG Enterprise E1.0-SOLID php-5.1.6-E1.0.3 OpenPKG Community CURRENT apache-1.3.37-20070504 OpenPKG Community CURRENT php-5.2.2-20070504 ____________________________________________________________________________

For security reasons, this document was digitally signed with the OpenPGP public key of the OpenPKG GmbH (public key id 61B7AE34) which you can download from http://openpkg.com/openpkg.com.pgp or retrieve from the OpenPGP keyserver at hkp://pgp.openpkg.org/. Follow the instructions at http://openpkg.com/security/signatures/ for more details on how to verify the integrity of this document.


-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG GmbH <http://openpkg.com/>

iD8DBQFGVyNWZwQuyWG3rjQRAtYGAKCYJajoloZ5Yr7QV1wxDlu0ABMF4ACfUoMN l/Yg+z9xMYhIXYEf5Tjv0Lg=
=IY9c
-----END PGP SIGNATURE-----



Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/