[OpenPKG-SA-2007.019] OpenPKG Security Advisory (php)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
____________________________________________________________________________
Publisher Name: OpenPKG GmbH
Publisher Home: http://openpkg.com/
Advisory Id (public): OpenPKG-SA-2007.019
Advisory Type: OpenPKG Security Advisory (SA)
Advisory Directory: http://openpkg.com/go/OpenPKG-SA
Advisory Document: http://openpkg.com/go/OpenPKG-SA-2007.019
Advisory Published: 2007-05-25 19:56 UTC
Issue Id (internal): OpenPKG-SI-20070518.04
Issue First Created: 2007-05-18
Issue Last Modified: 2007-05-25
Issue Revision: 04
____________________________________________________________________________
Subject Name: php
Subject Summary: Programming Language
Subject Home: http://www.php.net/
Subject Versions: * <= 5.2.2
Vulnerability Id: CVE-2007-1380, CVE-2007-1375, CVE-2007-1376,
CVE-2007-1521, CVE-2007-1484, CVE-2007-1583,
CVE-2007-1700, CVE-2007-1718, CVE-2007-1461,
CVE-2007-1887, CVE-2007-1888, CVE-2007-1717,
CVE-2007-1835, CVE-2007-1890, CVE-2007-1824
Vulnerability Scope: global (not OpenPKG specific)
Attack Feasibility: run-time
Attack Vector: local system, remote network
Attack Impact: denial of service, exposure of sensitive
information, manipulation of data, arbitrary code
execution
Description:
Steffan Esser published "the Month of PHP Bugs" [0] and revealed
multiple vulnerabilities regarding the programming language PHP [1].
According to a vendor release announcement [0], many of the issues
were fixed [2] in version 5.2.2. Fixes that apply to the OpenPKG
Enterprise 1 packages were extraced and backported.
The php_binary serialization handler in the session extension in
PHP before 4.4.5, and 5.x before 5.2.1, allows context-dependent
attackers to obtain sensitive information (memory contents) via a
serialized variable entry with a large length value, which triggers
a buffer over-read.
(CVE-2007-1380, MOPB-10-2007)
Integer overflow in the substr_compare function in PHP 5.2.1 and
earlier allows context-dependent attackers to read sensitive memory
via a large value in the length argument, a different vulnerability
than CVE-2006-1991.
(CVE-2007-1375, MOPB-14-2007)
The shmop functions in PHP before 4.4.5, and before 5.2.1 in the 5.x
series, do not verify that their arguments correspond to a shmop
resource, which allows context-dependent attackers to read and
write arbitrary memory locations via arguments associated with an
inappropriate resource, as demonstrated by a GD Image resource.
(CVE-2007-1376, MOPB-15-2007)
Double free vulnerability in PHP before 4.4.7, and 5.x before 5.2.2,
allows context-dependent attackers to execute arbitrary code by
interrupting the session_regenerate_id function, as demonstrated
by calling a userspace error handler or triggering a memory limit
violation.
(CVE-2007-1521, MOPB-22-2007)
The array_user_key_compare function in PHP 4.4.6 and earlier, and
5.x up to 5.2.1, makes erroneous calls to zval_dtor, which triggers
memory corruption and allows local users to bypass safe_mode
and execute arbitrary code via a certain unset operation after
array_user_key_compare has been called.
(CVE-2007-1484, MOPB-24-2007)
The mb_parse_str function in PHP 4.0.0 through 4.4.6 and 5.0.0
through 5.2.1 sets the internal register_globals flag and does
not disable it in certain cases when a script terminates, which
allows remote attackers to invoke available PHP scripts with
register_globals functionality that is not detectable by these
scripts, as demonstrated by forcing a memory_limit violation.
(CVE-2007-1583, MOPB-26-2007)
The session extension in PHP 4 before 4.4.5, and PHP 5 before
5.2.1, calculates the reference count for the session variables
without considering the internal pointer from the session globals,
which allows context-dependent attackers to execute arbitrary
code via a crafted string in the session_register after unsetting
HTTP_SESSION_VARS and _SESSION, which destroys the session data
Hashtable.
(CVE-2007-1700, MOPB-30-2007)
CRLF injection vulnerability in the mail function in PHP 4.0.0
through 4.4.6 and 5.0.0 through 5.2.1 allows remote attackers to
inject arbitrary e-mail headers and possibly conduct spam attacks
via a control character immediately following folding of the
(1) Subject or (2) To parameter, as demonstrated by a parameter
containing a "\r\n\t\n" sequence, related to an increment bug in the
SKIP_LONG_HEADER_SEP macro.
(CVE-2007-1718, MOPB-34-2007)
The compress.bzip2:// URL wrapper provided by the bz2 extension in
PHP before 4.4.7, and 5.x before 5.2.2, does not implement safemode
or open_basedir checks, which allows remote attackers to read bzip2
archives located outside of the intended directories.
(CVE-2007-1461, MOPB-21-2007)
Buffer overflow in the sqlite_decode_binary function in the bundled
sqlite library in PHP 4 before 4.4.5 and PHP 5 before 5.2.1 allows
context-dependent attackers to execute arbitrary code via an
empty value of the in parameter, as demonstrated by calling the
sqlite_udf_decode_binary function with a 0x01 character. OpenPKG
integrated a patch from Debian which modifies PHP not SQLite, fixing
use of internal or external SQLite.
(CVE-2007-1887, MOPB-41-2007)
The mail function in PHP 4.0.0 through 4.4.6 and 5.0.0 through
5.2.1 truncates e-mail messages at the first ASCIIZ ('\0') byte,
which might allow context-dependent attackers to prevent intended
information from being delivered in e-mail messages. This issue
might be security-relevant in cases when the trailing contents of
e-mail messages are important, such as logging information or if the
message is expected to be well-formed.
(CVE-2007-1717, MOPB-33-2007)
PHP 4 before 4.4.5 and PHP 5 before 5.2.1, when using an empty
session save path (session.save_path), uses the TMPDIR default
after checking the restrictions, which allows local users to bypass
open_basedir restrictions.
(CVE-2007-1835, MOPB-36-2007)
Integer overflow in the msg_receive function in PHP 4 before 4.4.5
and PHP 5 before 5.2.1, on FreeBSD and possibly other platforms,
allows context-dependent attackers to execute arbitrary code via
certain maxsize values, as demonstrated by 0xffffffff.
(CVE-2007-1890, MOPB-43-2007)
Buffer overflow in the php_stream_filter_create function in PHP 5
before 5.2.1 allows remote attackers to cause a denial of service
(application crash) via a php://filter/ URL that has a name ending
in the '.' character.
(CVE-2007-1824, MOPB-42-2007)
References:
[0] http://www.php-security.org/
[1] http://www.php.net/
[2] http://www.php.net/releases/5_2_2.php
____________________________________________________________________________
Primary Package Name: php
Primary Package Home: http://openpkg.org/go/package/php
Corrected Distribution: Corrected Branch: Corrected Package:
OpenPKG Enterprise E1.0-SOLID apache-1.3.37-E1.0.5
OpenPKG Enterprise E1.0-SOLID php-5.1.6-E1.0.3
OpenPKG Community CURRENT apache-1.3.37-20070504
OpenPKG Community CURRENT php-5.2.2-20070504
____________________________________________________________________________
For security reasons, this document was digitally signed with the
OpenPGP public key of the OpenPKG GmbH (public key id 61B7AE34)
which you can download from http://openpkg.com/openpkg.com.pgp
or retrieve from the OpenPGP keyserver at hkp://pgp.openpkg.org/.
Follow the instructions at http://openpkg.com/security/signatures/
for more details on how to verify the integrity of this document.
____________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG GmbH <http://openpkg.com/>
iD8DBQFGVyNWZwQuyWG3rjQRAtYGAKCYJajoloZ5Yr7QV1wxDlu0ABMF4ACfUoMN
l/Yg+z9xMYhIXYEf5Tjv0Lg=
=IY9c
-----END PGP SIGNATURE-----