Bugtraq mailing list archives
[ GLSA 200811-05 ] PHP: Multiple vulnerabilities
From: Tobias Heinlein <keytoaster () gentoo org>
Date: Sun, 16 Nov 2008 17:08:59 +0100
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200811-05
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: PHP: Multiple vulnerabilities
Date: November 16, 2008
Bugs: #209148, #212211, #215266, #228369, #230575, #234102
ID: 200811-05
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
PHP contains several vulnerabilities including buffer and integer
overflows which could lead to the remote execution of arbitrary code.
Background
==========
PHP is a widely-used general-purpose scripting language that is
especially suited for Web development and can be embedded into HTML.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-lang/php < 5.2.6-r6 >= 5.2.6-r6
Description
===========
Several vulnerabilitites were found in PHP:
* PHP ships a vulnerable version of the PCRE library which allows for
the circumvention of security restrictions or even for remote code
execution in case of an application which accepts user-supplied
regular expressions (CVE-2008-0674).
* Multiple crash issues in several PHP functions have been
discovered.
* Ryan Permeh reported that the init_request_info() function in
sapi/cgi/cgi_main.c does not properly consider operator precedence
when calculating the length of PATH_TRANSLATED (CVE-2008-0599).
* An off-by-one error in the metaphone() function may lead to memory
corruption.
* Maksymilian Arciemowicz of SecurityReason Research reported an
integer overflow, which is triggerable using printf() and related
functions (CVE-2008-1384).
* Andrei Nigmatulin reported a stack-based buffer overflow in the
FastCGI SAPI, which has unknown attack vectors (CVE-2008-2050).
* Stefan Esser reported that PHP does not correctly handle multibyte
characters inside the escapeshellcmd() function, which is used to
sanitize user input before its usage in shell commands
(CVE-2008-2051).
* Stefan Esser reported that a short-coming in PHP's algorithm of
seeding the random number generator might allow for predictible
random numbers (CVE-2008-2107, CVE-2008-2108).
* The IMAP extension in PHP uses obsolete c-client API calls making
it vulnerable to buffer overflows as no bounds checking can be done
(CVE-2008-2829).
* Tavis Ormandy reported a heap-based buffer overflow in
pcre_compile.c in the PCRE version shipped by PHP when processing
user-supplied regular expressions (CVE-2008-2371).
* CzechSec reported that specially crafted font files can lead to an
overflow in the imageloadfont() function in ext/gd/gd.c, which is
part of the GD extension (CVE-2008-3658).
* Maksymilian Arciemowicz of SecurityReason Research reported that a
design error in PHP's stream wrappers allows to circumvent safe_mode
checks in several filesystem-related PHP functions (CVE-2008-2665,
CVE-2008-2666).
* Laurent Gaffie discovered a buffer overflow in the internal
memnstr() function, which is used by the PHP function explode()
(CVE-2008-3659).
* An error in the FastCGI SAPI when processing a request with
multiple dots preceding the extension (CVE-2008-3660).
Impact
======
These vulnerabilities might allow a remote attacker to execute
arbitrary code, to cause a Denial of Service, to circumvent security
restrictions, to disclose information, and to manipulate files.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All PHP users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-lang/php-5.2.6-r6"
References
==========
[ 1 ] CVE-2008-0599
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0599
[ 2 ] CVE-2008-0674
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0674
[ 3 ] CVE-2008-1384
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1384
[ 4 ] CVE-2008-2050
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2050
[ 5 ] CVE-2008-2051
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2051
[ 6 ] CVE-2008-2107
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2107
[ 7 ] CVE-2008-2108
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2108
[ 8 ] CVE-2008-2371
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2371
[ 9 ] CVE-2008-2665
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2665
[ 10 ] CVE-2008-2666
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2666
[ 11 ] CVE-2008-2829
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2829
[ 12 ] CVE-2008-3658
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3658
[ 13 ] CVE-2008-3659
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3659
[ 14 ] CVE-2008-3660
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3660
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200811-05.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security () gentoo org or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
=======
Copyright 2008 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- [ GLSA 200811-05 ] PHP: Multiple vulnerabilities Tobias Heinlein (Nov 17)