-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ____________________________________________________________________________ Publisher Name: OpenPKG GmbH Publisher Home: http://openpkg.com/ Advisory Id (public): OpenPKG-SA-2007.019 Advisory Type: OpenPKG Security Advisory (SA) Advisory Directory: http://openpkg.com/go/OpenPKG-SA Advisory Document: http://openpkg.com/go/OpenPKG-SA-2007.019 Advisory Published: 2007-05-25 19:56 UTC Issue Id (internal): OpenPKG-SI-20070518.04 Issue First Created: 2007-05-18 Issue Last Modified: 2007-05-25 Issue Revision: 04 ____________________________________________________________________________ Subject Name: php Subject Summary: Programming Language Subject Home: http://www.php.net/ Subject Versions: * <= 5.2.2 Vulnerability Id: CVE-2007-1380, CVE-2007-1375, CVE-2007-1376, CVE-2007-1521, CVE-2007-1484, CVE-2007-1583, CVE-2007-1700, CVE-2007-1718, CVE-2007-1461, CVE-2007-1887, CVE-2007-1888, CVE-2007-1717, CVE-2007-1835, CVE-2007-1890, CVE-2007-1824 Vulnerability Scope: global (not OpenPKG specific) Attack Feasibility: run-time Attack Vector: local system, remote network Attack Impact: denial of service, exposure of sensitive information, manipulation of data, arbitrary code execution Description: Steffan Esser published "the Month of PHP Bugs" [0] and revealed multiple vulnerabilities regarding the programming language PHP [1]. According to a vendor release announcement [0], many of the issues were fixed [2] in version 5.2.2. Fixes that apply to the OpenPKG Enterprise 1 packages were extraced and backported. The php_binary serialization handler in the session extension in PHP before 4.4.5, and 5.x before 5.2.1, allows context-dependent attackers to obtain sensitive information (memory contents) via a serialized variable entry with a large length value, which triggers a buffer over-read. (CVE-2007-1380, MOPB-10-2007) Integer overflow in the substr_compare function in PHP 5.2.1 and earlier allows context-dependent attackers to read sensitive memory via a large value in the length argument, a different vulnerability than CVE-2006-1991. (CVE-2007-1375, MOPB-14-2007) The shmop functions in PHP before 4.4.5, and before 5.2.1 in the 5.x series, do not verify that their arguments correspond to a shmop resource, which allows context-dependent attackers to read and write arbitrary memory locations via arguments associated with an inappropriate resource, as demonstrated by a GD Image resource. (CVE-2007-1376, MOPB-15-2007) Double free vulnerability in PHP before 4.4.7, and 5.x before 5.2.2, allows context-dependent attackers to execute arbitrary code by interrupting the session_regenerate_id function, as demonstrated by calling a userspace error handler or triggering a memory limit violation. (CVE-2007-1521, MOPB-22-2007) The array_user_key_compare function in PHP 4.4.6 and earlier, and 5.x up to 5.2.1, makes erroneous calls to zval_dtor, which triggers memory corruption and allows local users to bypass safe_mode and execute arbitrary code via a certain unset operation after array_user_key_compare has been called. (CVE-2007-1484, MOPB-24-2007) The mb_parse_str function in PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 sets the internal register_globals flag and does not disable it in certain cases when a script terminates, which allows remote attackers to invoke available PHP scripts with register_globals functionality that is not detectable by these scripts, as demonstrated by forcing a memory_limit violation. (CVE-2007-1583, MOPB-26-2007) The session extension in PHP 4 before 4.4.5, and PHP 5 before 5.2.1, calculates the reference count for the session variables without considering the internal pointer from the session globals, which allows context-dependent attackers to execute arbitrary code via a crafted string in the session_register after unsetting HTTP_SESSION_VARS and _SESSION, which destroys the session data Hashtable. (CVE-2007-1700, MOPB-30-2007) CRLF injection vulnerability in the mail function in PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 allows remote attackers to inject arbitrary e-mail headers and possibly conduct spam attacks via a control character immediately following folding of the (1) Subject or (2) To parameter, as demonstrated by a parameter containing a "\r\n\t\n" sequence, related to an increment bug in the SKIP_LONG_HEADER_SEP macro. (CVE-2007-1718, MOPB-34-2007) The compress.bzip2:// URL wrapper provided by the bz2 extension in PHP before 4.4.7, and 5.x before 5.2.2, does not implement safemode or open_basedir checks, which allows remote attackers to read bzip2 archives located outside of the intended directories. (CVE-2007-1461, MOPB-21-2007) Buffer overflow in the sqlite_decode_binary function in the bundled sqlite library in PHP 4 before 4.4.5 and PHP 5 before 5.2.1 allows context-dependent attackers to execute arbitrary code via an empty value of the in parameter, as demonstrated by calling the sqlite_udf_decode_binary function with a 0x01 character. OpenPKG integrated a patch from Debian which modifies PHP not SQLite, fixing use of internal or external SQLite. (CVE-2007-1887, MOPB-41-2007) The mail function in PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 truncates e-mail messages at the first ASCIIZ ('\0') byte, which might allow context-dependent attackers to prevent intended information from being delivered in e-mail messages. This issue might be security-relevant in cases when the trailing contents of e-mail messages are important, such as logging information or if the message is expected to be well-formed. (CVE-2007-1717, MOPB-33-2007) PHP 4 before 4.4.5 and PHP 5 before 5.2.1, when using an empty session save path (session.save_path), uses the TMPDIR default after checking the restrictions, which allows local users to bypass open_basedir restrictions. (CVE-2007-1835, MOPB-36-2007) Integer overflow in the msg_receive function in PHP 4 before 4.4.5 and PHP 5 before 5.2.1, on FreeBSD and possibly other platforms, allows context-dependent attackers to execute arbitrary code via certain maxsize values, as demonstrated by 0xffffffff. (CVE-2007-1890, MOPB-43-2007) Buffer overflow in the php_stream_filter_create function in PHP 5 before 5.2.1 allows remote attackers to cause a denial of service (application crash) via a php://filter/ URL that has a name ending in the '.' character. (CVE-2007-1824, MOPB-42-2007) References: [0] http://www.php-security.org/ [1] http://www.php.net/ [2] http://www.php.net/releases/5_2_2.php ____________________________________________________________________________ Primary Package Name: php Primary Package Home: http://openpkg.org/go/package/php Corrected Distribution: Corrected Branch: Corrected Package: OpenPKG Enterprise E1.0-SOLID apache-1.3.37-E1.0.5 OpenPKG Enterprise E1.0-SOLID php-5.1.6-E1.0.3 OpenPKG Community CURRENT apache-1.3.37-20070504 OpenPKG Community CURRENT php-5.2.2-20070504 ____________________________________________________________________________ For security reasons, this document was digitally signed with the OpenPGP public key of the OpenPKG GmbH (public key id 61B7AE34) which you can download from http://openpkg.com/openpkg.com.pgp or retrieve from the OpenPGP keyserver at hkp://pgp.openpkg.org/. Follow the instructions at http://openpkg.com/security/signatures/ for more details on how to verify the integrity of this document. ____________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG GmbH iD8DBQFGVyNWZwQuyWG3rjQRAtYGAKCYJajoloZ5Yr7QV1wxDlu0ABMF4ACfUoMN l/Yg+z9xMYhIXYEf5Tjv0Lg= =IY9c -----END PGP SIGNATURE-----