Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-ppc-dev
Navigation:
Lists: gentoo-ppc-dev: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-announce@g.o
From: Ferry Meyndert <m0rpheus@g.o>
Subject: [gentoo-announce] GLSA: PHP contains a vulnerable data handler that could allow remote compromise
Date: Mon Jul 22 10:39:05 2002
- -------------------------------------------------------------------- 
GENTOO LINUX SECURITY ANNOUNCEMENT 
- --------------------------------------------------------------------

PACKAGE        :php,mod_php
SUMMARY        :Vulnerable data handler 
DATE           :2002-07-22 16:51:00

- --------------------------------------------------------------------

OVERVIEW
 
E-matters has discovered a serious vulnerability within the default 
version of PHP. Depending on the processor architecture it may be      
possible for a remote attacker to either crash or compromise the web
server. 


DETAIL

PHP 4.2.0 introduced a completely rewritten multipart/form-data POST 
handler.While I was working on the code in my role as PHP developer i
found a bug within the way the mime headers are processed. A malformed
POST request can trigger an error condition, that is not correctly
handled. Due to this bug it could happen that an uninitialised struct
gets appended to the linked list of mime headers.When the lists gets
cleaned or destroyed PHP tries to free the pointers that are expected in
the struct. Because of the lack of initialisation those pointers 
contain stuff that was left on the stack by previous function calls.

On the IA32 architecture (aka. x86) it is not possible to control what
will end up in the uninitialised struct because of the stack layout. All
possible code paths leave illegal addresses within the struct and PHP
will crash when it tries to free them.

Unfortunately the situation is absolutely different if you look on a
solaris sparc installation. Here it is possible for an attacker to free
chunks of memory that are full under his control. This is most probably
the case for several more non IA32 architectures.

Please note that exploitability is not only limited to systems that are
running malloc()/free() implementations that are known to be vulnerable
to control structure overwrites. This is because the internal PHP memory
managment implements its own linked list system that can be used to
overwrite nearly arbitrary memory addresses.


SOLUTION

It is recommended that all Gentoo Linux users update their systems as
follows.

emerge --clean rsync
emerge php mod_php
emerge clean
 
Manually:

Download the new php package here and follow in file instructions:
http://www.php.net/distributions/php-4.2.2.tar.gz

Workaround:

If the PHP applications on an affected web server do not rely on HTTP
POST input from user agents, it is often possible to deny POST requests
on the web server.

In the Apache web server, for example, this is possible with the
following code included in the main configuration file or a top-level 

. htaccess file:

<Limit POST>
          Order deny,allow
          Deny from all

</Limit> 

Note that an existing configuration and/or .htaccess file may have
parameters contradicting the example given above. 

- --------------------------------------------------------------------
Ferry Meyndert
m0rpheus@g.o
http://www.gentoo.org/~m0rpheus
- --------------------------------------------------------------------









_______________________________________________
gentoo-announce mailing list
gentoo-announce@g.o
http://lists.gentoo.org/mailman/listinfo/gentoo-announce

Navigation:
Lists: gentoo-ppc-dev: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
[gentoo-announce] QT-3.0.5: upgrade instructions
Next by thread:
default /etc/syctl.conf and keyboard_sends_linux_keycodes
Previous by date:
[gentoo-announce] QT-3.0.5: upgrade instructions
Next by date:
default /etc/syctl.conf and keyboard_sends_linux_keycodes


Updated Jun 17, 2009

Summary: Archive of the gentoo-ppc-dev mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.