<<< Date Index >>>     <<< Thread Index >>>

MDKSA-2005:072 - Updated php packages fix multiple vulnerabilities



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

                Mandriva Linux Security Update Advisory
 _______________________________________________________________________

 Package name:           php
 Advisory ID:            MDKSA-2005:072
 Date:                   April 18th, 2005

 Affected versions:      10.0, 10.1, 10.2, Corporate 3.0,
                         Corporate Server 2.1
 ______________________________________________________________________

 Problem Description:

 A number of vulnerabilities are addressed in this PHP update:
 
 Stefano Di Paolo discovered integer overflows in PHP's pack(),
 unpack(), and shmop_write() functions which could allow a malicious
 script to break out of safe mode and execute arbitray code with
 privileges of the PHP interpreter (CAN-2004-1018; this was previously
 fixed in Mandrakelinux >= 10.0 in MDKSA-2004:151).
 
 Stefan Esser discovered two safe mode bypasses which would allow
 malicious scripts to circumvent path restrictions by using
 virtual_popen() with a current directory containing shell meta-
 characters (CAN-2004-1063) or by creating a specially crafted
 directory whose length exceeded the capacity of realpath()
 (CAN-2004-1064; both of these were previously fixed in Mandrakelinux
 >= 10.0 in MDKSA-2004:151).
 
 Two Denial of Service vulnerabilities were found in the getimagesize()
 function which uses the format-specific internal functions
 php_handle_iff() and php_handle_jpeg() which would get stuck in
 infinite loops when certain (invalid) size parameters are read from
 the image (CAN-2005-0524 and CAN-2005-0525).
 
 An integer overflow was discovered in the exif_process_IFD_TAG()
 function in PHP's EXIF module.  EXIF tags with a specially crafted
 "Image File Directory" (IFD) tag would cause a buffer overflow which
 could be exploited to execute arbitrary code with the privileges of
 the PHP server (CAN-2005-1042).
 
 Another vulnerability in the EXIF module was also discovered where
 headers with a large IFD nesting level would cause an unbound
 recursion which would eventually overflow the stack and cause the
 executed program to crash (CAN-2004-1043).
 
 All of these issues are addressed in the Corporate Server 2.1 packages
 and the last three issues for all other platforms, which had
 previously included the first two issues but had not been mentioned
 in MDKSA-2004:151.
 _______________________________________________________________________

 References:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0524
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0525
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1042
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1043
 ______________________________________________________________________

 Updated Packages:
  
 Mandrakelinux 10.0:
 f7d974aa23e07a33ffc28d24d57ae6d1  
10.0/RPMS/libphp_common432-4.3.4-4.5.100mdk.i586.rpm
 345a78284dee2a035f627e348e73923b  10.0/RPMS/php-cgi-4.3.4-4.5.100mdk.i586.rpm
 14a9a57cb05438a2b95ac47fa68755be  10.0/RPMS/php-cli-4.3.4-4.5.100mdk.i586.rpm
 1d43beb4125253db8a9bdaaffec6abce  
10.0/RPMS/php432-devel-4.3.4-4.5.100mdk.i586.rpm
 44a1aa8be7f1f56120568028d3cce0a0  10.0/SRPMS/php-4.3.4-4.5.100mdk.src.rpm

 Mandrakelinux 10.0/AMD64:
 9651a95c09fef8db80f8d0455f1d4aae  
amd64/10.0/RPMS/lib64php_common432-4.3.4-4.5.100mdk.amd64.rpm
 d883ef32f7f60531cf2be850d5e9dcba  
amd64/10.0/RPMS/php-cgi-4.3.4-4.5.100mdk.amd64.rpm
 21f487c746312c589115e12b9ed0d13e  
amd64/10.0/RPMS/php-cli-4.3.4-4.5.100mdk.amd64.rpm
 0a9e996779cc13cfa458c39aa6bf6472  
amd64/10.0/RPMS/php432-devel-4.3.4-4.5.100mdk.amd64.rpm
 44a1aa8be7f1f56120568028d3cce0a0  amd64/10.0/SRPMS/php-4.3.4-4.5.100mdk.src.rpm

 Mandrakelinux 10.1:
 f75cb008b1eafcce1167f487fd0742ef  
10.1/RPMS/libphp_common432-4.3.8-3.3.101mdk.i586.rpm
 6522017c3e097f22a37f293d765f4141  10.1/RPMS/php-cgi-4.3.8-3.3.101mdk.i586.rpm
 4ba9ade6db11e4035f73ede36e361ad7  10.1/RPMS/php-cli-4.3.8-3.3.101mdk.i586.rpm
 63d4d58bbc3a01b89c688660be399af0  
10.1/RPMS/php432-devel-4.3.8-3.3.101mdk.i586.rpm
 f4fe82b93cf84987b0787e297d5189de  10.1/SRPMS/php-4.3.8-3.3.101mdk.src.rpm

 Mandrakelinux 10.1/X86_64:
 fb08286032f45020ecd96e07b0da51af  
x86_64/10.1/RPMS/lib64php_common432-4.3.8-3.3.101mdk.x86_64.rpm
 e1ae8214e11a7e62e987cde10e53c609  
x86_64/10.1/RPMS/php-cgi-4.3.8-3.3.101mdk.x86_64.rpm
 44c080a9d90e282da95b5d809e90df52  
x86_64/10.1/RPMS/php-cli-4.3.8-3.3.101mdk.x86_64.rpm
 d23e51652be1cb62f4704a5c4fe4a7a9  
x86_64/10.1/RPMS/php432-devel-4.3.8-3.3.101mdk.x86_64.rpm
 f4fe82b93cf84987b0787e297d5189de  
x86_64/10.1/SRPMS/php-4.3.8-3.3.101mdk.src.rpm

 Mandrakelinux 10.2:
 cc1f7f17fdcaf8dc87efcad94a241eca  
10.2/RPMS/libphp_common432-4.3.10-7.1.102mdk.i586.rpm
 3655f4254ca1ee329462e1f744533ed2  10.2/RPMS/php-cgi-4.3.10-7.1.102mdk.i586.rpm
 a6084914e21c0a5873d5b94bb914411f  10.2/RPMS/php-cli-4.3.10-7.1.102mdk.i586.rpm
 41a0168e7a2fdb581b59e5550c02418f  
10.2/RPMS/php432-devel-4.3.10-7.1.102mdk.i586.rpm
 2e3bf475cc0a73a2402d487e1bcaa741  10.2/SRPMS/php-4.3.10-7.1.102mdk.src.rpm

 Mandrakelinux 10.2/X86_64:
 17130ea081a475bebce9ef1f4ea89c22  
x86_64/10.2/RPMS/lib64php_common432-4.3.10-7.1.102mdk.x86_64.rpm
 5b9712e9d2b3709243080eefe5f36037  
x86_64/10.2/RPMS/php-cgi-4.3.10-7.1.102mdk.x86_64.rpm
 6e77ec1f4a00e757e9144c798f86b465  
x86_64/10.2/RPMS/php-cli-4.3.10-7.1.102mdk.x86_64.rpm
 f55fc2c228f012266c55e830cc858698  
x86_64/10.2/RPMS/php432-devel-4.3.10-7.1.102mdk.x86_64.rpm
 2e3bf475cc0a73a2402d487e1bcaa741  
x86_64/10.2/SRPMS/php-4.3.10-7.1.102mdk.src.rpm

 Corporate Server 2.1:
 f418349daa18087f1b2bd2d06d07a7d7  
corporate/2.1/RPMS/php-4.2.3-4.4.C21mdk.i586.rpm
 f55f290333af492f34104d1821ece93d  
corporate/2.1/RPMS/php-common-4.2.3-4.4.C21mdk.i586.rpm
 ff25be7d53aa1f8efa1ac7ea06935c60  
corporate/2.1/RPMS/php-devel-4.2.3-4.4.C21mdk.i586.rpm
 38a6771932090c0b49a495caa244047f  
corporate/2.1/RPMS/php-pear-4.2.3-4.4.C21mdk.i586.rpm
 57a79e60657b372524d7b8af3535cfe6  
corporate/2.1/SRPMS/php-4.2.3-4.4.C21mdk.src.rpm

 Corporate Server 2.1/X86_64:
 0459cb20800a58b6ee41fc6ac2dc55b2  
x86_64/corporate/2.1/RPMS/php-4.2.3-4.4.C21mdk.x86_64.rpm
 462186f5005cafbfe66dd99cb9110e30  
x86_64/corporate/2.1/RPMS/php-common-4.2.3-4.4.C21mdk.x86_64.rpm
 5f6c49093da250595d27917455fff5bd  
x86_64/corporate/2.1/RPMS/php-devel-4.2.3-4.4.C21mdk.x86_64.rpm
 5fb114b6761fcd231cbbbfde6e41252d  
x86_64/corporate/2.1/RPMS/php-pear-4.2.3-4.4.C21mdk.x86_64.rpm
 57a79e60657b372524d7b8af3535cfe6  
x86_64/corporate/2.1/SRPMS/php-4.2.3-4.4.C21mdk.src.rpm

 Corporate 3.0:
 eab4aa42fbd404630d0eb350ea17efd1  
corporate/3.0/RPMS/libphp_common432-4.3.4-4.5.C30mdk.i586.rpm
 3138545d861d0c28acc81f77424e95c5  
corporate/3.0/RPMS/php-cgi-4.3.4-4.5.C30mdk.i586.rpm
 b26d65545512c6698cfb5d3280961677  
corporate/3.0/RPMS/php-cli-4.3.4-4.5.C30mdk.i586.rpm
 6bfa6303f2f8a52c963f9df4bf59c639  
corporate/3.0/RPMS/php432-devel-4.3.4-4.5.C30mdk.i586.rpm
 9f017d501ff162d276b0e2832468a5c8  
corporate/3.0/SRPMS/php-4.3.4-4.5.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 eab4aa42fbd404630d0eb350ea17efd1  
x86_64/corporate/3.0/RPMS/libphp_common432-4.3.4-4.5.C30mdk.i586.rpm
 3138545d861d0c28acc81f77424e95c5  
x86_64/corporate/3.0/RPMS/php-cgi-4.3.4-4.5.C30mdk.i586.rpm
 b26d65545512c6698cfb5d3280961677  
x86_64/corporate/3.0/RPMS/php-cli-4.3.4-4.5.C30mdk.i586.rpm
 6bfa6303f2f8a52c963f9df4bf59c639  
x86_64/corporate/3.0/RPMS/php432-devel-4.3.4-4.5.C30mdk.i586.rpm
 9f017d501ff162d276b0e2832468a5c8  
x86_64/corporate/3.0/SRPMS/php-4.3.4-4.5.C30mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrakeUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCZGd6mqjQ0CJFipgRArzeAKCwF9l5b7X4e2V1lwVKBEmKxzhb2gCdGPe6
tLdpH8LT8qnWvHfu0Yo4XIA=
=eOcy
-----END PGP SIGNATURE-----