<<< Date Index >>>     <<< Thread Index >>>

[OpenPKG-SA-2007.019] OpenPKG Security Advisory (php)



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

____________________________________________________________________________

Publisher Name:          OpenPKG GmbH
Publisher Home:          http://openpkg.com/

Advisory Id (public):    OpenPKG-SA-2007.019
Advisory Type:           OpenPKG Security Advisory (SA)
Advisory Directory:      http://openpkg.com/go/OpenPKG-SA
Advisory Document:       http://openpkg.com/go/OpenPKG-SA-2007.019
Advisory Published:      2007-05-25 19:56 UTC

Issue Id (internal):     OpenPKG-SI-20070518.04
Issue First Created:     2007-05-18
Issue Last Modified:     2007-05-25
Issue Revision:          04
____________________________________________________________________________

Subject Name:            php
Subject Summary:         Programming Language
Subject Home:            http://www.php.net/
Subject Versions:        * <= 5.2.2

Vulnerability Id:        CVE-2007-1380, CVE-2007-1375, CVE-2007-1376,
                         CVE-2007-1521, CVE-2007-1484, CVE-2007-1583,
                         CVE-2007-1700, CVE-2007-1718, CVE-2007-1461,
                         CVE-2007-1887, CVE-2007-1888, CVE-2007-1717,
                         CVE-2007-1835, CVE-2007-1890, CVE-2007-1824
Vulnerability Scope:     global (not OpenPKG specific)

Attack Feasibility:      run-time
Attack Vector:           local system, remote network
Attack Impact:           denial of service, exposure of sensitive
                         information, manipulation of data, arbitrary code
                         execution

Description:
    Steffan Esser published "the Month of PHP Bugs" [0] and revealed
    multiple vulnerabilities regarding the programming language PHP [1].
    According to a vendor release announcement [0], many of the issues
    were fixed [2] in version 5.2.2. Fixes that apply to the OpenPKG
    Enterprise 1 packages were extraced and backported.
    
    The php_binary serialization handler in the session extension in
    PHP before 4.4.5, and 5.x before 5.2.1, allows context-dependent
    attackers to obtain sensitive information (memory contents) via a
    serialized variable entry with a large length value, which triggers
    a buffer over-read.
    (CVE-2007-1380, MOPB-10-2007)
    
    Integer overflow in the substr_compare function in PHP 5.2.1 and
    earlier allows context-dependent attackers to read sensitive memory
    via a large value in the length argument, a different vulnerability
    than CVE-2006-1991.
    (CVE-2007-1375, MOPB-14-2007)
    
    The shmop functions in PHP before 4.4.5, and before 5.2.1 in the 5.x
    series, do not verify that their arguments correspond to a shmop
    resource, which allows context-dependent attackers to read and
    write arbitrary memory locations via arguments associated with an
    inappropriate resource, as demonstrated by a GD Image resource.
    (CVE-2007-1376, MOPB-15-2007)
    
    Double free vulnerability in PHP before 4.4.7, and 5.x before 5.2.2,
    allows context-dependent attackers to execute arbitrary code by
    interrupting the session_regenerate_id function, as demonstrated
    by calling a userspace error handler or triggering a memory limit
    violation.
    (CVE-2007-1521, MOPB-22-2007)
    
    The array_user_key_compare function in PHP 4.4.6 and earlier, and
    5.x up to 5.2.1, makes erroneous calls to zval_dtor, which triggers
    memory corruption and allows local users to bypass safe_mode
    and execute arbitrary code via a certain unset operation after
    array_user_key_compare has been called.
    (CVE-2007-1484, MOPB-24-2007)
    
    The mb_parse_str function in PHP 4.0.0 through 4.4.6 and 5.0.0
    through 5.2.1 sets the internal register_globals flag and does
    not disable it in certain cases when a script terminates, which
    allows remote attackers to invoke available PHP scripts with
    register_globals functionality that is not detectable by these
    scripts, as demonstrated by forcing a memory_limit violation.
    (CVE-2007-1583, MOPB-26-2007)
    
    The session extension in PHP 4 before 4.4.5, and PHP 5 before
    5.2.1, calculates the reference count for the session variables
    without considering the internal pointer from the session globals,
    which allows context-dependent attackers to execute arbitrary
    code via a crafted string in the session_register after unsetting
    HTTP_SESSION_VARS and _SESSION, which destroys the session data
    Hashtable.
    (CVE-2007-1700, MOPB-30-2007)
    
    CRLF injection vulnerability in the mail function in PHP 4.0.0
    through 4.4.6 and 5.0.0 through 5.2.1 allows remote attackers to
    inject arbitrary e-mail headers and possibly conduct spam attacks
    via a control character immediately following folding of the
    (1) Subject or (2) To parameter, as demonstrated by a parameter
    containing a "\r\n\t\n" sequence, related to an increment bug in the
    SKIP_LONG_HEADER_SEP macro.
    (CVE-2007-1718, MOPB-34-2007)
    
    The compress.bzip2:// URL wrapper provided by the bz2 extension in
    PHP before 4.4.7, and 5.x before 5.2.2, does not implement safemode
    or open_basedir checks, which allows remote attackers to read bzip2
    archives located outside of the intended directories.
    (CVE-2007-1461, MOPB-21-2007)
    
    Buffer overflow in the sqlite_decode_binary function in the bundled
    sqlite library in PHP 4 before 4.4.5 and PHP 5 before 5.2.1 allows
    context-dependent attackers to execute arbitrary code via an
    empty value of the in parameter, as demonstrated by calling the
    sqlite_udf_decode_binary function with a 0x01 character. OpenPKG
    integrated a patch from Debian which modifies PHP not SQLite, fixing
    use of internal or external SQLite.
    (CVE-2007-1887, MOPB-41-2007)
    
    The mail function in PHP 4.0.0 through 4.4.6 and 5.0.0 through
    5.2.1 truncates e-mail messages at the first ASCIIZ ('\0') byte,
    which might allow context-dependent attackers to prevent intended
    information from being delivered in e-mail messages. This issue
    might be security-relevant in cases when the trailing contents of
    e-mail messages are important, such as logging information or if the
    message is expected to be well-formed.
    (CVE-2007-1717, MOPB-33-2007)
    
    PHP 4 before 4.4.5 and PHP 5 before 5.2.1, when using an empty
    session save path (session.save_path), uses the TMPDIR default
    after checking the restrictions, which allows local users to bypass
    open_basedir restrictions.
    (CVE-2007-1835, MOPB-36-2007)
    
    Integer overflow in the msg_receive function in PHP 4 before 4.4.5
    and PHP 5 before 5.2.1, on FreeBSD and possibly other platforms,
    allows context-dependent attackers to execute arbitrary code via
    certain maxsize values, as demonstrated by 0xffffffff.
    (CVE-2007-1890, MOPB-43-2007)
    
    Buffer overflow in the php_stream_filter_create function in PHP 5
    before 5.2.1 allows remote attackers to cause a denial of service
    (application crash) via a php://filter/ URL that has a name ending
    in the '.' character.
    (CVE-2007-1824, MOPB-42-2007)

References:
    [0] http://www.php-security.org/
    [1] http://www.php.net/
    [2] http://www.php.net/releases/5_2_2.php
____________________________________________________________________________

Primary Package Name:    php
Primary Package Home:    http://openpkg.org/go/package/php

Corrected Distribution:  Corrected Branch: Corrected Package:
OpenPKG Enterprise       E1.0-SOLID        apache-1.3.37-E1.0.5
OpenPKG Enterprise       E1.0-SOLID        php-5.1.6-E1.0.3
OpenPKG Community        CURRENT           apache-1.3.37-20070504
OpenPKG Community        CURRENT           php-5.2.2-20070504
____________________________________________________________________________

For security reasons, this document was digitally signed with the
OpenPGP public key of the OpenPKG GmbH (public key id 61B7AE34)
which you can download from http://openpkg.com/openpkg.com.pgp
or retrieve from the OpenPGP keyserver at hkp://pgp.openpkg.org/.
Follow the instructions at http://openpkg.com/security/signatures/
for more details on how to verify the integrity of this document.
____________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG GmbH <http://openpkg.com/>

iD8DBQFGVyNWZwQuyWG3rjQRAtYGAKCYJajoloZ5Yr7QV1wxDlu0ABMF4ACfUoMN
l/Yg+z9xMYhIXYEf5Tjv0Lg=
=IY9c
-----END PGP SIGNATURE-----