[gentoo-announce] [ GLSA 200811-05 ] PHP: Multiple vulnerabilities - gentoo-announce

From:	Tobias Heinlein <keytoaster@g.o>
To:	gentoo-announce@g.o
Cc:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200811-05 ] PHP: Multiple vulnerabilities
Date:	Sun, 16 Nov 2008 16:12:38
Message-Id:	`4920459B.3020109@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 200811-05

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

  Severity: Normal

8

     Title: PHP: Multiple vulnerabilities

9

      Date: November 16, 2008

10

      Bugs: #209148, #212211, #215266, #228369, #230575, #234102

11

        ID: 200811-05

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

PHP contains several vulnerabilities including buffer and integer

19

overflows which could lead to the remote execution of arbitrary code.

20

21

Background

22

==========

23

24

PHP is a widely-used general-purpose scripting language that is

25

especially suited for Web development and can be embedded into HTML.

26

27

Affected packages

28

=================

29

30

    -------------------------------------------------------------------

31

     Package       /  Vulnerable  /                         Unaffected

32

    -------------------------------------------------------------------

33

  1  dev-lang/php     < 5.2.6-r6                           >= 5.2.6-r6

34

35

Description

36

===========

37

38

Several vulnerabilitites were found in PHP:

39

40

* PHP ships a vulnerable version of the PCRE library which allows for

41

  the circumvention of security restrictions or even for remote code

42

  execution in case of an application which accepts user-supplied

43

  regular expressions (CVE-2008-0674).

44

45

* Multiple crash issues in several PHP functions have been

46

  discovered.

47

48

* Ryan Permeh reported that the init_request_info() function in

49

  sapi/cgi/cgi_main.c does not properly consider operator precedence

50

  when calculating the length of PATH_TRANSLATED (CVE-2008-0599).

51

52

* An off-by-one error in the metaphone() function may lead to memory

53

  corruption.

54

55

* Maksymilian Arciemowicz of SecurityReason Research reported an

56

  integer overflow, which is triggerable using printf() and related

57

  functions (CVE-2008-1384).

58

59

* Andrei Nigmatulin reported a stack-based buffer overflow in the

60

  FastCGI SAPI, which has unknown attack vectors (CVE-2008-2050).

61

62

* Stefan Esser reported that PHP does not correctly handle multibyte

63

  characters inside the escapeshellcmd() function, which is used to

64

  sanitize user input before its usage in shell commands

65

  (CVE-2008-2051).

66

67

* Stefan Esser reported that a short-coming in PHP's algorithm of

68

  seeding the random number generator might allow for predictible

69

  random numbers (CVE-2008-2107, CVE-2008-2108).

70

71

* The IMAP extension in PHP uses obsolete c-client API calls making

72

  it vulnerable to buffer overflows as no bounds checking can be done

73

  (CVE-2008-2829).

74

75

* Tavis Ormandy reported a heap-based buffer overflow in

76

  pcre_compile.c in the PCRE version shipped by PHP when processing

77

  user-supplied regular expressions (CVE-2008-2371).

78

79

* CzechSec reported that specially crafted font files can lead to an

80

  overflow in the imageloadfont() function in ext/gd/gd.c, which is

81

  part of the GD extension (CVE-2008-3658).

82

83

* Maksymilian Arciemowicz of SecurityReason Research reported that a

84

  design error in PHP's stream wrappers allows to circumvent safe_mode

85

  checks in several filesystem-related PHP functions (CVE-2008-2665,

86

  CVE-2008-2666).

87

88

* Laurent Gaffie discovered a buffer overflow in the internal

89

  memnstr() function, which is used by the PHP function explode()

90

  (CVE-2008-3659).

91

92

* An error in the FastCGI SAPI when processing a request with

93

  multiple dots preceding the extension (CVE-2008-3660).

94

95

Impact

96

======

97

98

These vulnerabilities might allow a remote attacker to execute

99

arbitrary code, to cause a Denial of Service, to circumvent security

100

restrictions, to disclose information, and to manipulate files.

101

102

Workaround

103

==========

104

105

There is no known workaround at this time.

106

107

Resolution

108

==========

109

110

All PHP users should upgrade to the latest version:

111

112

    # emerge --sync

113

    # emerge --ask --oneshot --verbose ">=dev-lang/php-5.2.6-r6"

114

115

References

116

==========

117

118

  [ 1 ] CVE-2008-0599

119

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0599

120

  [ 2 ] CVE-2008-0674

121

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0674

122

  [ 3 ] CVE-2008-1384

123

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1384

124

  [ 4 ] CVE-2008-2050

125

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2050

126

  [ 5 ] CVE-2008-2051

127

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2051

128

  [ 6 ] CVE-2008-2107

129

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2107

130

  [ 7 ] CVE-2008-2108

131

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2108

132

  [ 8 ] CVE-2008-2371

133

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2371

134

  [ 9 ] CVE-2008-2665

135

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2665

136

  [ 10 ] CVE-2008-2666

137

         http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2666

138

  [ 11 ] CVE-2008-2829

139

         http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2829

140

  [ 12 ] CVE-2008-3658

141

         http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3658

142

  [ 13 ] CVE-2008-3659

143

         http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3659

144

  [ 14 ] CVE-2008-3660

145

         http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3660

146

147

Availability

148

============

149

150

This GLSA and any updates to it are available for viewing at

151

the Gentoo Security Website:

152

153

  http://security.gentoo.org/glsa/glsa-200811-05.xml

154

155

Concerns?

156

=========

157

158

Security is a primary focus of Gentoo Linux and ensuring the

159

confidentiality and security of our users machines is of utmost

160

importance to us. Any security concerns should be addressed to

161

security@g.o or alternatively, you may file a bug at

162

http://bugs.gentoo.org.

163

164

License

165

=======

166

167

Copyright 2008 Gentoo Foundation, Inc; referenced text

168

belongs to its owner(s).

169

170

The contents of this document are licensed under the

171

Creative Commons - Attribution / Share Alike license.

172

173

http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 200811-05
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: PHP: Multiple vulnerabilities
9	Date: November 16, 2008
10	Bugs: #209148, #212211, #215266, #228369, #230575, #234102
11	ID: 200811-05
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	PHP contains several vulnerabilities including buffer and integer
19	overflows which could lead to the remote execution of arbitrary code.
20
21	Background
22	==========
23
24	PHP is a widely-used general-purpose scripting language that is
25	especially suited for Web development and can be embedded into HTML.
26
27	Affected packages
28	=================
29
30	-------------------------------------------------------------------
31	Package / Vulnerable / Unaffected
32	-------------------------------------------------------------------
33	1 dev-lang/php < 5.2.6-r6 >= 5.2.6-r6
34
35	Description
36	===========
37
38	Several vulnerabilitites were found in PHP:
39
40	* PHP ships a vulnerable version of the PCRE library which allows for
41	the circumvention of security restrictions or even for remote code
42	execution in case of an application which accepts user-supplied
43	regular expressions (CVE-2008-0674).
44
45	* Multiple crash issues in several PHP functions have been
46	discovered.
47
48	* Ryan Permeh reported that the init_request_info() function in
49	sapi/cgi/cgi_main.c does not properly consider operator precedence
50	when calculating the length of PATH_TRANSLATED (CVE-2008-0599).
51
52	* An off-by-one error in the metaphone() function may lead to memory
53	corruption.
54
55	* Maksymilian Arciemowicz of SecurityReason Research reported an
56	integer overflow, which is triggerable using printf() and related
57	functions (CVE-2008-1384).
58
59	* Andrei Nigmatulin reported a stack-based buffer overflow in the
60	FastCGI SAPI, which has unknown attack vectors (CVE-2008-2050).
61
62	* Stefan Esser reported that PHP does not correctly handle multibyte
63	characters inside the escapeshellcmd() function, which is used to
64	sanitize user input before its usage in shell commands
65	(CVE-2008-2051).
66
67	* Stefan Esser reported that a short-coming in PHP's algorithm of
68	seeding the random number generator might allow for predictible
69	random numbers (CVE-2008-2107, CVE-2008-2108).
70
71	* The IMAP extension in PHP uses obsolete c-client API calls making
72	it vulnerable to buffer overflows as no bounds checking can be done
73	(CVE-2008-2829).
74
75	* Tavis Ormandy reported a heap-based buffer overflow in
76	pcre_compile.c in the PCRE version shipped by PHP when processing
77	user-supplied regular expressions (CVE-2008-2371).
78
79	* CzechSec reported that specially crafted font files can lead to an
80	overflow in the imageloadfont() function in ext/gd/gd.c, which is
81	part of the GD extension (CVE-2008-3658).
82
83	* Maksymilian Arciemowicz of SecurityReason Research reported that a
84	design error in PHP's stream wrappers allows to circumvent safe_mode
85	checks in several filesystem-related PHP functions (CVE-2008-2665,
86	CVE-2008-2666).
87
88	* Laurent Gaffie discovered a buffer overflow in the internal
89	memnstr() function, which is used by the PHP function explode()
90	(CVE-2008-3659).
91
92	* An error in the FastCGI SAPI when processing a request with
93	multiple dots preceding the extension (CVE-2008-3660).
94
95	Impact
96	======
97
98	These vulnerabilities might allow a remote attacker to execute
99	arbitrary code, to cause a Denial of Service, to circumvent security
100	restrictions, to disclose information, and to manipulate files.
101
102	Workaround
103	==========
104
105	There is no known workaround at this time.
106
107	Resolution
108	==========
109
110	All PHP users should upgrade to the latest version:
111
112	# emerge --sync
113	# emerge --ask --oneshot --verbose ">=dev-lang/php-5.2.6-r6"
114
115	References
116	==========
117
118	[ 1 ] CVE-2008-0599
119	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0599
120	[ 2 ] CVE-2008-0674
121	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0674
122	[ 3 ] CVE-2008-1384
123	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1384
124	[ 4 ] CVE-2008-2050
125	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2050
126	[ 5 ] CVE-2008-2051
127	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2051
128	[ 6 ] CVE-2008-2107
129	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2107
130	[ 7 ] CVE-2008-2108
131	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2108
132	[ 8 ] CVE-2008-2371
133	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2371
134	[ 9 ] CVE-2008-2665
135	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2665
136	[ 10 ] CVE-2008-2666
137	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2666
138	[ 11 ] CVE-2008-2829
139	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2829
140	[ 12 ] CVE-2008-3658
141	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3658
142	[ 13 ] CVE-2008-3659
143	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3659
144	[ 14 ] CVE-2008-3660
145	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3660
146
147	Availability
148	============
149
150	This GLSA and any updates to it are available for viewing at
151	the Gentoo Security Website:
152
153	http://security.gentoo.org/glsa/glsa-200811-05.xml
154
155	Concerns?
156	=========
157
158	Security is a primary focus of Gentoo Linux and ensuring the
159	confidentiality and security of our users machines is of utmost
160	importance to us. Any security concerns should be addressed to
161	security@g.o or alternatively, you may file a bug at
162	http://bugs.gentoo.org.
163
164	License
165	=======
166
167	Copyright 2008 Gentoo Foundation, Inc; referenced text
168	belongs to its owner(s).
169
170	The contents of this document are licensed under the
171	Creative Commons - Attribution / Share Alike license.
172
173	http://creativecommons.org/licenses/by-sa/2.5