oss-sec mailing list archives
Re: CVE request: php 5.3.1 - proc_open() bypass PHP Bug #49026 [was: Re: [oss-security] CVE request: php 5.3.1 update]
From: Josh Bressers <bressers () redhat com>
Date: Mon, 23 Nov 2009 15:49:28 -0500 (EST)
CVE-2009-4018 PHP before 5.3.1 proc_open() can be used to bypass the safe_mode_protected_env_vars INI setting. This could be used to alter the process environment possibly executing arbitrary code. http://www.php.net/ChangeLog-5.php#5.3.1 http://bugs.php.net/bug.php?id=49026 http://marc.info/?l=oss-security&m=125897935330618&w=2 Thanks. -- JB ----- "Jan Lieskovsky" <jlieskov () redhat com> wrote:
Hi Brian, security curmudgeon wrote:On Fri, 20 Nov 2009, Thomas Biege wrote: : PHP was updated to version 5.3.1 and did also address security : issues: http://www.php.net/releases/5_3_1.php : : Security Enhancements and Fixes in PHP 5.3.1: : : * Added "max_file_uploads" INI directive, which can be set tolimit the number of file uploads per-request to 20 by default, to prevent possible DOS via temporary file exhaustion.: * Added missing sanity checks around exif processing. This was previously disclosed and fixed in the 5.2.x tree. I believethisis the same as CVE-2009-3292. : * Fixed a safe_mode bypass in tempnam(). : * Fixed a open_basedir bypass in posix_mkfifo(). : * Fixed bug #50063 (safe_mode_include_dir fails). : * Fixed bug #44683 (popen crashes when an invalid mode ispassed).Also not flagged as 'security' up top, but from the changelog: Fixed bug #49026 (proc_open() can bypasssafe_mode_protected_env_varsrestrictions). (Ilia)Thank you for pointing this out. Yes, further look into particular php bugzilla returns: "Environment variables specified for proc_open passed without check so safe_mode_allowed_env_vars and safe_mode_protected_env_vars settings are ignored. So it become possible to use buffer overflow exploit with "LD_PRELOAD=evil_library.so" to bypass safe_mode restrictions and get access to any files acessible for apache uid." So looks another CVE id is needed here. Changed subject to: "CVE request: php 5.3.1 - proc_open() bypass PHP Bug #49026" Could we get another CVE id for this case? Thanks && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response TeamBrian
Current thread:
- CVE request: php 5.3.1 update Thomas Biege (Nov 20)
- Re: CVE request: php 5.3.1 update Joe Orton (Nov 20)
- Re: CVE request: php 5.3.1 update Tomas Hoger (Nov 20)
- Re: CVE request: php 5.3.1 update Eren Türkay (Nov 20)
- Re: CVE request: php 5.3.1 update security curmudgeon (Nov 21)
- Re: CVE request: php 5.3.1 - proc_open() bypass PHP Bug #49026 [was: Re: [oss-security] CVE request: php 5.3.1 update] Jan Lieskovsky (Nov 23)
- Re: CVE request: php 5.3.1 - proc_open() bypass PHP Bug #49026 [was: Re: [oss-security] CVE request: php 5.3.1 update] Josh Bressers (Nov 23)
- Re: CVE request: php 5.3.1 - proc_open() bypass PHP Bug #49026 [was: Re: [oss-security] CVE request: php 5.3.1 update] Jan Lieskovsky (Nov 23)
- Re: CVE request: php 5.3.1 update Joe Orton (Nov 20)