<<< Date Index >>>     <<< Thread Index >>>

[OpenPKG-SA-2006.023] OpenPKG Security Advisory (php)



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

________________________________________________________________________

OpenPKG Security Advisory                                   OpenPKG GmbH
http://www.openpkg.org/security/                      http://openpkg.com
OpenPKG-SA-2006.023                                           2006-10-17
________________________________________________________________________

Package:          php
Vulnerability:    privilege escalation, arbitrary code execution
OpenPKG Specific: no

Affected Series:  Affected Packages:      Corrected Packages:
1.0-ENTERPRISE    N.A.                    >= php-5.1.6-E1.0.0
2-STABLE-20061018 N.A.                    >= php-5.1.6-2.20061018
2-STABLE          <= php-5.1.5-2.20060818 >= php-5.1.6-2.20061018
CURRENT           <= php-5.1.6-20061013   >= php-5.1.6-20061017

Description:
  According to a security advisory [1] from Maksymilian Arciemowicz,
  a vulnerability exists in the programming language PHP [0] which
  allows local users to bypass certain Apache HTTP server "httpd.conf"
  options, such as "safe_mode" and "open_basedir", via the "ini_restore"
  function, which resets the values to their "php.ini" (master value)
  defaults. The Common Vulnerabilities and Exposures (CVE) project
  assigned the id CVE-2006-4625 [2] to the problem.

  According to a security advisory [3] from the Hardened-PHP project, an
  integer overflow bug exists in the programming language PHP [0] which
  allows remote attackers to execute arbitrary code via an argument to
  the "unserialize" PHP function with a large value for the number of
  array elements, which triggers the overflow in the underlying Zend
  Engine "ecalloc" function. The Common Vulnerabilities and Exposures
  (CVE) project assigned the id CVE-2006-4812 [4] to the problem.

  According to a security advisory [5] from the Hardened-PHP project, a
  race condition in the "symlink" function of the programming language
  PHP [0] exists which allows local users to bypass the "open_basedir"
  restriction by using a combination of "symlink", "mkdir", and "unlink"
  functions to change the file path after the "open_basedir" check and
  before the file is opened by the underlying system, as demonstrated
  by symlinking a symlink into a subdirectory, to point to a parent
  directory via ".." sequences, and then unlinking the resulting
  symlink. The Common Vulnerabilities and Exposures (CVE) project
  assigned the id CVE-2006-5178 [6] to the problem.
________________________________________________________________________

References:
  [0] http://www.php.net/
  [1] http://securityreason.com/achievement_securityalert/42
  [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4625
  [3] http://www.hardened-php.net/advisory_092006.133.html
  [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4812
  [5] http://www.hardened-php.net/advisory_082006.132.html
  [6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5178
________________________________________________________________________

For security reasons, this advisory was digitally signed with the
OpenPGP public key "OpenPKG <openpkg@xxxxxxxxxxx>" (ID 63C4CB9F) which
you can retrieve from http://www.openpkg.org/openpkg.pgp. Follow the
instructions on http://www.openpkg.org/security/signatures/ for details
on how to verify the integrity of this advisory.
________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG <openpkg@xxxxxxxxxxx>

iD8DBQFFNIGdgHWT4GPEy58RAtVBAJoCX3irrZamtyw2iB6kr0prNfJK8wCg7/bo
S+LNuXuT19oMnAmzUXudLkc=
=RAhf
-----END PGP SIGNATURE-----