Re: CVE request: php 5.3.1 - proc_open() bypass PHP Bug #49026 [was: Re: [oss-security] CVE request: php 5.3.1 update]

[Jan Lieskovsky <jlieskov () redhat com>]

Hi Brian,

security curmudgeon wrote:
> On Fri, 20 Nov 2009, Thomas Biege wrote:
>
> : PHP was updated to version 5.3.1 and did also address security
> : issues: http://www.php.net/releases/5_3_1.php
> : 
> : Security Enhancements and Fixes in PHP 5.3.1:
> : 
> :     * Added "max_file_uploads" INI directive, which can be set to limit the number of file uploads per-request to 20 by default, to prevent possible DOS via temporary file exhaustion.
> :     * Added missing sanity checks around exif processing.
>
> This was previously disclosed and fixed in the 5.2.x tree. I believe this 
> is the same as CVE-2009-3292.
>
> :     * Fixed a safe_mode bypass in tempnam().
> :     * Fixed a open_basedir bypass in posix_mkfifo().
> :     * Fixed bug #50063 (safe_mode_include_dir fails).
> :     * Fixed bug #44683 (popen crashes when an invalid mode is passed).
>
> Also not flagged as 'security' up top, but from the changelog:
>
> Fixed bug #49026 (proc_open() can bypass safe_mode_protected_env_vars 
> restrictions). (Ilia)

  Thank you for pointing this out.

  Yes, further look into particular php bugzilla returns:

    "Environment variables specified for proc_open passed without check so
     safe_mode_allowed_env_vars and safe_mode_protected_env_vars settings are
     ignored. So it become possible to use buffer overflow exploit with
     "LD_PRELOAD=evil_library.so" to bypass safe_mode restrictions and get
     access to any files acessible for apache uid."

  So looks another CVE id is needed here. Changed subject to:
  "CVE request: php 5.3.1 - proc_open() bypass PHP Bug #49026"

  Could we get another CVE id for this case?

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

> Brian