oss-sec mailing list archives
Re: CVE request: php 5.3.1 - proc_open() bypass PHP Bug #49026 [was: Re: [oss-security] CVE request: php 5.3.1 update]
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Mon, 23 Nov 2009 13:29:42 +0100
Hi Brian, security curmudgeon wrote:
On Fri, 20 Nov 2009, Thomas Biege wrote: : PHP was updated to version 5.3.1 and did also address security : issues: http://www.php.net/releases/5_3_1.php: : Security Enhancements and Fixes in PHP 5.3.1: : : * Added "max_file_uploads" INI directive, which can be set to limit the number of file uploads per-request to 20 by default, to prevent possible DOS via temporary file exhaustion.: * Added missing sanity checks around exif processing.This was previously disclosed and fixed in the 5.2.x tree. I believe this is the same as CVE-2009-3292.: * Fixed a safe_mode bypass in tempnam(). : * Fixed a open_basedir bypass in posix_mkfifo(). : * Fixed bug #50063 (safe_mode_include_dir fails). : * Fixed bug #44683 (popen crashes when an invalid mode is passed). Also not flagged as 'security' up top, but from the changelog:Fixed bug #49026 (proc_open() can bypass safe_mode_protected_env_vars restrictions). (Ilia)
Thank you for pointing this out. Yes, further look into particular php bugzilla returns: "Environment variables specified for proc_open passed without check so safe_mode_allowed_env_vars and safe_mode_protected_env_vars settings are ignored. So it become possible to use buffer overflow exploit with "LD_PRELOAD=evil_library.so" to bypass safe_mode restrictions and get access to any files acessible for apache uid." So looks another CVE id is needed here. Changed subject to: "CVE request: php 5.3.1 - proc_open() bypass PHP Bug #49026" Could we get another CVE id for this case? Thanks && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Brian
Current thread:
- CVE request: php 5.3.1 update Thomas Biege (Nov 20)
- Re: CVE request: php 5.3.1 update Joe Orton (Nov 20)
- Re: CVE request: php 5.3.1 update Tomas Hoger (Nov 20)
- Re: CVE request: php 5.3.1 update Eren Türkay (Nov 20)
- Re: CVE request: php 5.3.1 update security curmudgeon (Nov 21)
- Re: CVE request: php 5.3.1 - proc_open() bypass PHP Bug #49026 [was: Re: [oss-security] CVE request: php 5.3.1 update] Jan Lieskovsky (Nov 23)
- Re: CVE request: php 5.3.1 update Joe Orton (Nov 20)