[ MDVSA-2009:022 ] php
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2009:022
http://www.mandriva.com/security/
_______________________________________________________________________
Package : php
Date : January 21, 2009
Affected: 2008.0
_______________________________________________________________________
Problem Description:
A vulnerability in PHP allowed context-dependent attackers to cause
a denial of service (crash) via a certain long string in the glob()
or fnmatch() functions (CVE-2007-4782).
A vulnerability in the cURL library in PHP allowed context-dependent
attackers to bypass safe_mode and open_basedir restrictions and read
arbitrary files using a special URL request (CVE-2007-4850).
An integer overflow in PHP allowed context-dependent attackers to
cause a denial of serivce via a special printf() format parameter
(CVE-2008-1384).
A stack-based buffer overflow in the FastCGI SAPI in PHP has unknown
impact and attack vectors (CVE-2008-2050).
A buffer overflow in the imageloadfont() function in PHP allowed
context-dependent attackers to cause a denial of service (crash)
and potentially execute arbitrary code via a crafted font file
(CVE-2008-3658).
A buffer overflow in the memnstr() function allowed context-dependent
attackers to cause a denial of service (crash) and potentially execute
arbitrary code via the delimiter argument to the explode() function
(CVE-2008-3659).
PHP, when used as a FastCGI module, allowed remote attackers to cause
a denial of service (crash) via a request with multiple dots preceding
the extension (CVE-2008-3660).
An array index error in the imageRotate() function in PHP allowed
context-dependent attackers to read the contents of arbitrary memory
locations via a crafted value of the third argument to the function
for an indexed image (CVE-2008-5498).
The updated packages have been patched to correct these issues.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4782
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4850
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1384
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2050
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3658
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3659
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3660
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5498
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2008.0:
7a652c5161099a807eb67096c1904738
2008.0/i586/libphp5_common5-5.2.4-3.3mdv2008.0.i586.rpm
e48275669ba1c1936e6adf0cfdfe9c37
2008.0/i586/php-bcmath-5.2.4-3.3mdv2008.0.i586.rpm
77bbce6d44ef33977caf61c8bf7acdd3
2008.0/i586/php-bz2-5.2.4-3.3mdv2008.0.i586.rpm
995177d832c1ebc80fb9272701471c57
2008.0/i586/php-calendar-5.2.4-3.3mdv2008.0.i586.rpm
7b088350c660056ef612fbd2a54682e8
2008.0/i586/php-cgi-5.2.4-3.3mdv2008.0.i586.rpm
eb9bbe3de40891cf1f80790d607b2d0b
2008.0/i586/php-cli-5.2.4-3.3mdv2008.0.i586.rpm
631d10abbce8287e8a5b668b1b29de5f
2008.0/i586/php-ctype-5.2.4-3.3mdv2008.0.i586.rpm
9af5654306d2cf8c9904d5d796a7e473
2008.0/i586/php-curl-5.2.4-3.3mdv2008.0.i586.rpm
947b9d9e7096bebeff2cb6ebc73aac43
2008.0/i586/php-dba-5.2.4-3.3mdv2008.0.i586.rpm
31e7cb59ee851d12e1d5b978aa2091cf
2008.0/i586/php-dbase-5.2.4-3.3mdv2008.0.i586.rpm
d6d198044d437ad5d30902676f13939e
2008.0/i586/php-devel-5.2.4-3.3mdv2008.0.i586.rpm
bda8dd71c91f5940e8b22c93959e7720
2008.0/i586/php-dom-5.2.4-3.3mdv2008.0.i586.rpm
17de69302a54194ee76fa561ca8d0fe7
2008.0/i586/php-exif-5.2.4-3.3mdv2008.0.i586.rpm
f4735d6bd86b617815e080ad729b7433
2008.0/i586/php-fcgi-5.2.4-3.3mdv2008.0.i586.rpm
9e2a645b0b121a4a4f9853b8863e10e4
2008.0/i586/php-filter-5.2.4-3.3mdv2008.0.i586.rpm
53670f7055d3cde333d9742030e3fd5b
2008.0/i586/php-ftp-5.2.4-3.3mdv2008.0.i586.rpm
46a7eb8f4a4d00c332e96e3bb0d31189
2008.0/i586/php-gd-5.2.4-3.3mdv2008.0.i586.rpm
7241fdefb6d2a5ea4eec96a18bf31ed2
2008.0/i586/php-gettext-5.2.4-3.3mdv2008.0.i586.rpm
62c52647488c0a7080001aaf462640f0
2008.0/i586/php-gmp-5.2.4-3.3mdv2008.0.i586.rpm
5941034e1f012edffbe1e5523adb17c8
2008.0/i586/php-hash-5.2.4-3.3mdv2008.0.i586.rpm
07372e866901555fab3152b7702afdc2
2008.0/i586/php-iconv-5.2.4-3.3mdv2008.0.i586.rpm
da94c20e59e785a439ab728c2194f897
2008.0/i586/php-imap-5.2.4-3.3mdv2008.0.i586.rpm
ad640383a672f2bda97a7c2f6f8d623c
2008.0/i586/php-json-5.2.4-3.3mdv2008.0.i586.rpm
793b27eaa0d344b83dd5de1628c5d3b0
2008.0/i586/php-ldap-5.2.4-3.3mdv2008.0.i586.rpm
5a1aeae14535d5493a9cbd1d5db34b50
2008.0/i586/php-mbstring-5.2.4-3.3mdv2008.0.i586.rpm
461333bd3c9a9107b542da36e88e951e
2008.0/i586/php-mcrypt-5.2.4-3.3mdv2008.0.i586.rpm
367150bc9718c4b7a022ab5bb076bd35
2008.0/i586/php-mhash-5.2.4-3.3mdv2008.0.i586.rpm
4c2ca88ed728a7d98e9c09b0fa2efd96
2008.0/i586/php-mime_magic-5.2.4-3.3mdv2008.0.i586.rpm
aa755604d1444c522713f6d6c366b5bd
2008.0/i586/php-ming-5.2.4-3.3mdv2008.0.i586.rpm
a676178533ac458dac1410eae8ea67da
2008.0/i586/php-mssql-5.2.4-3.3mdv2008.0.i586.rpm
593b42628393ee668b75b6f8622fa7b0
2008.0/i586/php-mysql-5.2.4-3.3mdv2008.0.i586.rpm
aebff890814488282f7ea6a29c01d7a1
2008.0/i586/php-mysqli-5.2.4-3.3mdv2008.0.i586.rpm
6e315b85744911432ef40e914e2f41f5
2008.0/i586/php-ncurses-5.2.4-3.3mdv2008.0.i586.rpm
a0cec0628667e13d26e89d6fc6541497
2008.0/i586/php-odbc-5.2.4-3.3mdv2008.0.i586.rpm
90b55faea598db1f6a5b9709e06fa71b
2008.0/i586/php-openssl-5.2.4-3.3mdv2008.0.i586.rpm
1ca2e330d6e20381a63c5bba97591ac9
2008.0/i586/php-pcntl-5.2.4-3.3mdv2008.0.i586.rpm
08f4d6146d3e26ef97a5015f1bf8b132
2008.0/i586/php-pdo-5.2.4-3.3mdv2008.0.i586.rpm
8e7f471066f4580cb373789ec27906c0
2008.0/i586/php-pdo_dblib-5.2.4-3.3mdv2008.0.i586.rpm
e6f2baee019de6759ad3913b31439d3c
2008.0/i586/php-pdo_mysql-5.2.4-3.3mdv2008.0.i586.rpm
97ac80b266b67a4a9578a9dfc921c940
2008.0/i586/php-pdo_odbc-5.2.4-3.3mdv2008.0.i586.rpm
04cdad00191a250ce4b29a1c01fe3eef
2008.0/i586/php-pdo_pgsql-5.2.4-3.3mdv2008.0.i586.rpm
8944ef0d51c1db6d781151269cd1a3a4
2008.0/i586/php-pdo_sqlite-5.2.4-3.3mdv2008.0.i586.rpm
2b4f964b98d82e01ebcd1389b7b5cfd9
2008.0/i586/php-pgsql-5.2.4-3.3mdv2008.0.i586.rpm
f378eede095e848f47dd2752d6d1d1ee
2008.0/i586/php-posix-5.2.4-3.3mdv2008.0.i586.rpm
8aa798c5a0b491f659c703f88299c7bb
2008.0/i586/php-pspell-5.2.4-3.3mdv2008.0.i586.rpm
e651db4d7886759a2274354cb0afe020
2008.0/i586/php-readline-5.2.4-3.3mdv2008.0.i586.rpm
cfe33d6e4bb79c7d0f8c9006207b894f
2008.0/i586/php-recode-5.2.4-3.3mdv2008.0.i586.rpm
cffccd3024397701c9c2a449bae1471d
2008.0/i586/php-session-5.2.4-3.3mdv2008.0.i586.rpm
deefc043ef2733636a537f22a851016e
2008.0/i586/php-shmop-5.2.4-3.3mdv2008.0.i586.rpm
d2e3fd9852c298b807f4ac2831e7c0eb
2008.0/i586/php-simplexml-5.2.4-3.3mdv2008.0.i586.rpm
ab317dd79631f92b22c56e89077798a1
2008.0/i586/php-snmp-5.2.4-3.3mdv2008.0.i586.rpm
7eb6e93e6da916103e72727493204a32
2008.0/i586/php-soap-5.2.4-3.3mdv2008.0.i586.rpm
a14e42046640f7562eead57135d134c9
2008.0/i586/php-sockets-5.2.4-3.3mdv2008.0.i586.rpm
507f4f1d51c13ba5e65783d324760bb1
2008.0/i586/php-sqlite-5.2.4-3.3mdv2008.0.i586.rpm
528d87f5221deb269f2e7eba7c62b561
2008.0/i586/php-sysvmsg-5.2.4-3.3mdv2008.0.i586.rpm
2ae1cf711351a79e54d075a56baa803f
2008.0/i586/php-sysvsem-5.2.4-3.3mdv2008.0.i586.rpm
1f43453db03dfaa9a4ad6d75c8032fbf
2008.0/i586/php-sysvshm-5.2.4-3.3mdv2008.0.i586.rpm
99c765052a26be7b3c68cb3999d03301
2008.0/i586/php-tidy-5.2.4-3.3mdv2008.0.i586.rpm
568385e201d2e9c494132608374c67cb
2008.0/i586/php-tokenizer-5.2.4-3.3mdv2008.0.i586.rpm
aa3d73e0f32f510134808c48e5730c28
2008.0/i586/php-wddx-5.2.4-3.3mdv2008.0.i586.rpm
a8a7238a7bbb2c0458cee41764bf4167
2008.0/i586/php-xml-5.2.4-3.3mdv2008.0.i586.rpm
89dabad2ce9ff9e1330998e8171a7f76
2008.0/i586/php-xmlreader-5.2.4-3.3mdv2008.0.i586.rpm
2b973524ec6301282d9a6ebf943898bf
2008.0/i586/php-xmlrpc-5.2.4-3.3mdv2008.0.i586.rpm
c019b015e1c7738b7c268bed9738a274
2008.0/i586/php-xmlwriter-5.2.4-3.3mdv2008.0.i586.rpm
444e7b7b981f842b0851159c2b60e3f2
2008.0/i586/php-xsl-5.2.4-3.3mdv2008.0.i586.rpm
ac9ce0fd528f5b3f4ab671c48a35c588
2008.0/i586/php-zlib-5.2.4-3.3mdv2008.0.i586.rpm
ecf0b17dd6998db1a0a7ece0f992db56 2008.0/SRPMS/php-5.2.4-3.3mdv2008.0.src.rpm
Mandriva Linux 2008.0/X86_64:
89ba8b65286114fa3ce605c877f434ff
2008.0/x86_64/lib64php5_common5-5.2.4-3.3mdv2008.0.x86_64.rpm
0ff29b438923c6cdd74d373e7d2e4850
2008.0/x86_64/php-bcmath-5.2.4-3.3mdv2008.0.x86_64.rpm
fb4fd6c767ab0efcf8fd8893dc218e00
2008.0/x86_64/php-bz2-5.2.4-3.3mdv2008.0.x86_64.rpm
8d100cf17c2d2b33c9d985294c2522a9
2008.0/x86_64/php-calendar-5.2.4-3.3mdv2008.0.x86_64.rpm
51735968841ed984937d8bbb129ec515
2008.0/x86_64/php-cgi-5.2.4-3.3mdv2008.0.x86_64.rpm
271b559fa4a5dff7654f908069a3aba8
2008.0/x86_64/php-cli-5.2.4-3.3mdv2008.0.x86_64.rpm
2558176bb0d83e12615764374359ed33
2008.0/x86_64/php-ctype-5.2.4-3.3mdv2008.0.x86_64.rpm
e813815fb84332d469adc6d2a2cf52d9
2008.0/x86_64/php-curl-5.2.4-3.3mdv2008.0.x86_64.rpm
03be7783fbd67080a3ac7ac203e12d89
2008.0/x86_64/php-dba-5.2.4-3.3mdv2008.0.x86_64.rpm
48ea284238fa82d159fb665b950162fb
2008.0/x86_64/php-dbase-5.2.4-3.3mdv2008.0.x86_64.rpm
1b680313ae918dbd6d0605ceb1c37b83
2008.0/x86_64/php-devel-5.2.4-3.3mdv2008.0.x86_64.rpm
fb9657c80f96d90af8cedb65d5fbc8af
2008.0/x86_64/php-dom-5.2.4-3.3mdv2008.0.x86_64.rpm
badbfa62b773421cbbec3da18d368eaf
2008.0/x86_64/php-exif-5.2.4-3.3mdv2008.0.x86_64.rpm
dd405943aa2f7073c00a3e1c0a305c4f
2008.0/x86_64/php-fcgi-5.2.4-3.3mdv2008.0.x86_64.rpm
1f240a39bbffab1b89df0af047c04ef9
2008.0/x86_64/php-filter-5.2.4-3.3mdv2008.0.x86_64.rpm
09f930a49b343b5686b9e1b906221f29
2008.0/x86_64/php-ftp-5.2.4-3.3mdv2008.0.x86_64.rpm
cee4006868185c9d1cccf0ae2764737a
2008.0/x86_64/php-gd-5.2.4-3.3mdv2008.0.x86_64.rpm
1f90f96d383ac9ff444648fac9706bdd
2008.0/x86_64/php-gettext-5.2.4-3.3mdv2008.0.x86_64.rpm
3b831a3789ec11c038f4fb0d08badd92
2008.0/x86_64/php-gmp-5.2.4-3.3mdv2008.0.x86_64.rpm
6c79f8f172d84c278719fd78edb9e8bf
2008.0/x86_64/php-hash-5.2.4-3.3mdv2008.0.x86_64.rpm
c78688c8a299337f48708e49fb642f35
2008.0/x86_64/php-iconv-5.2.4-3.3mdv2008.0.x86_64.rpm
cdca33614db11df4d28c195b9e0c2d1b
2008.0/x86_64/php-imap-5.2.4-3.3mdv2008.0.x86_64.rpm
42827e2ff517d47d340d134b482956cc
2008.0/x86_64/php-json-5.2.4-3.3mdv2008.0.x86_64.rpm
47b84f7a9c064edec70862dcd62407c2
2008.0/x86_64/php-ldap-5.2.4-3.3mdv2008.0.x86_64.rpm
7eb75ae9d26308c1f047da264195e0bc
2008.0/x86_64/php-mbstring-5.2.4-3.3mdv2008.0.x86_64.rpm
ca8404c82e14b76f34505441d7993756
2008.0/x86_64/php-mcrypt-5.2.4-3.3mdv2008.0.x86_64.rpm
137d94b0bc22b2e3269b69afb2521bc8
2008.0/x86_64/php-mhash-5.2.4-3.3mdv2008.0.x86_64.rpm
244873acdf03db7e75960dfe7410406a
2008.0/x86_64/php-mime_magic-5.2.4-3.3mdv2008.0.x86_64.rpm
3cb0ed9c97f740b776365e7ee71c2af2
2008.0/x86_64/php-ming-5.2.4-3.3mdv2008.0.x86_64.rpm
1cb62b1372b16ad4ebe32f31f9e6b7f9
2008.0/x86_64/php-mssql-5.2.4-3.3mdv2008.0.x86_64.rpm
9de3e8c8158818bd10e6131c5cb07dd5
2008.0/x86_64/php-mysql-5.2.4-3.3mdv2008.0.x86_64.rpm
9cc32cd7dd1be8ec371f9d1bb71b686e
2008.0/x86_64/php-mysqli-5.2.4-3.3mdv2008.0.x86_64.rpm
944bfc97936ff94f6f844e0cbd0dd95a
2008.0/x86_64/php-ncurses-5.2.4-3.3mdv2008.0.x86_64.rpm
4760b4ab342f44ac87c7f2da54410c0e
2008.0/x86_64/php-odbc-5.2.4-3.3mdv2008.0.x86_64.rpm
3829b2387029cb3a19b2a2636623f2fa
2008.0/x86_64/php-openssl-5.2.4-3.3mdv2008.0.x86_64.rpm
62e1e8f8b40e2a8221ea794d9c2b6b5d
2008.0/x86_64/php-pcntl-5.2.4-3.3mdv2008.0.x86_64.rpm
025965d8df8de7590c8f0d8d4108be78
2008.0/x86_64/php-pdo-5.2.4-3.3mdv2008.0.x86_64.rpm
2868838706493b2a44f599482fb1d651
2008.0/x86_64/php-pdo_dblib-5.2.4-3.3mdv2008.0.x86_64.rpm
bd8fe64ddc3ff3600126514157b9e511
2008.0/x86_64/php-pdo_mysql-5.2.4-3.3mdv2008.0.x86_64.rpm
876f1ad50e59fe4a27860b1dcf6afced
2008.0/x86_64/php-pdo_odbc-5.2.4-3.3mdv2008.0.x86_64.rpm
e0e86de461e6da0c154cd8408ba7ff2b
2008.0/x86_64/php-pdo_pgsql-5.2.4-3.3mdv2008.0.x86_64.rpm
9a90b3d24a4f6acb8142563869c92d69
2008.0/x86_64/php-pdo_sqlite-5.2.4-3.3mdv2008.0.x86_64.rpm
1139217457e537a2ea3e28ef7b7b8f39
2008.0/x86_64/php-pgsql-5.2.4-3.3mdv2008.0.x86_64.rpm
31377cffd512f021df688f168fa70565
2008.0/x86_64/php-posix-5.2.4-3.3mdv2008.0.x86_64.rpm
12a6e43f9413d93f582582ba5c8cc0d2
2008.0/x86_64/php-pspell-5.2.4-3.3mdv2008.0.x86_64.rpm
e257dec42f74358db7ca58d5cc1d524b
2008.0/x86_64/php-readline-5.2.4-3.3mdv2008.0.x86_64.rpm
6cacff3a4b0a61e60e4ad11ebdafc7bf
2008.0/x86_64/php-recode-5.2.4-3.3mdv2008.0.x86_64.rpm
025d4d90a09d6de4836dc45228cff6e7
2008.0/x86_64/php-session-5.2.4-3.3mdv2008.0.x86_64.rpm
908e4379581b86d83d9139879084eb33
2008.0/x86_64/php-shmop-5.2.4-3.3mdv2008.0.x86_64.rpm
c18c8de8b1629ec5cd2f51bf4e17e817
2008.0/x86_64/php-simplexml-5.2.4-3.3mdv2008.0.x86_64.rpm
dd8b061f27acae1a7371d8aed868ba23
2008.0/x86_64/php-snmp-5.2.4-3.3mdv2008.0.x86_64.rpm
3bb622cd884b6712cd7974f88e88a90b
2008.0/x86_64/php-soap-5.2.4-3.3mdv2008.0.x86_64.rpm
79373a824e2a4a7a0bc900532a1e2801
2008.0/x86_64/php-sockets-5.2.4-3.3mdv2008.0.x86_64.rpm
5d73d8283b43e69d77396f8f01be8bf3
2008.0/x86_64/php-sqlite-5.2.4-3.3mdv2008.0.x86_64.rpm
0b2e447aca5263291991c2da1cadd536
2008.0/x86_64/php-sysvmsg-5.2.4-3.3mdv2008.0.x86_64.rpm
509468b4dbd2935e05e800d9bae37874
2008.0/x86_64/php-sysvsem-5.2.4-3.3mdv2008.0.x86_64.rpm
1324a045c8e5d05ceb954bc8005fce9e
2008.0/x86_64/php-sysvshm-5.2.4-3.3mdv2008.0.x86_64.rpm
832fc2acd82c4cb5806f5c5b6ec31086
2008.0/x86_64/php-tidy-5.2.4-3.3mdv2008.0.x86_64.rpm
a026d9e7a62e9a8064ccb34f7bc73e38
2008.0/x86_64/php-tokenizer-5.2.4-3.3mdv2008.0.x86_64.rpm
73b8df410ab637a3349adb520e7ddd2b
2008.0/x86_64/php-wddx-5.2.4-3.3mdv2008.0.x86_64.rpm
35f6c8e61e68c94c7582084b55673c65
2008.0/x86_64/php-xml-5.2.4-3.3mdv2008.0.x86_64.rpm
117931585f5d3457fad1b924286a34b4
2008.0/x86_64/php-xmlreader-5.2.4-3.3mdv2008.0.x86_64.rpm
86d4fc9df8514fede7924268cc87cf69
2008.0/x86_64/php-xmlrpc-5.2.4-3.3mdv2008.0.x86_64.rpm
062ee98ab5ce0675e98adee65131f3f4
2008.0/x86_64/php-xmlwriter-5.2.4-3.3mdv2008.0.x86_64.rpm
9cad5ac838e1f0f67c55702d4df50c30
2008.0/x86_64/php-xsl-5.2.4-3.3mdv2008.0.x86_64.rpm
525169a83f9850cbcd3903af389def55
2008.0/x86_64/php-zlib-5.2.4-3.3mdv2008.0.x86_64.rpm
ecf0b17dd6998db1a0a7ece0f992db56 2008.0/SRPMS/php-5.2.4-3.3mdv2008.0.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFJd4VZmqjQ0CJFipgRAqRGAJ9QJxYLp5zE2eOo9WQZ3OkzB4CeWACg9aLi
A2E6w1lLiqFmL7RnEdjkypY=
=5YNA
-----END PGP SIGNATURE-----