[gentoo-announce] [ GLSA 200407-13 ] PHP: Multiple security vulnerabilities - gentoo-announce

From:	Kurt Lieber <klieber@g.o>
To:	gentoo-announce@l.g.o
Cc:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××.com, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200407-13 ] PHP: Multiple security vulnerabilities
Date:	Thu, 15 Jul 2004 13:24:29
Message-Id:	`20040715132350.GN18023@mail.lieber.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 200407-13

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

  Severity: High

8

     Title: PHP: Multiple security vulnerabilities

9

      Date: July 15, 2004

10

      Bugs: #56985

11

        ID: 200407-13

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Multiple security vulnerabilities, potentially allowing remote code

19

execution, were found and fixed in PHP.

20

21

Background

22

==========

23

24

PHP is a general-purpose scripting language widely used to develop

25

web-based applications. It can run inside a web server using the

26

mod_php module or the CGI version of PHP, or can run stand-alone in a

27

CLI.

28

29

Affected packages

30

=================

31

32

    -------------------------------------------------------------------

33

     Package          /   Vulnerable   /                    Unaffected

34

    -------------------------------------------------------------------

35

  1  dev-php/php          <= 4.3.7-r1                         >= 4.3.8

36

  2  dev-php/mod_php      <= 4.3.7-r1                         >= 4.3.8

37

  3  dev-php/php-cgi      <= 4.3.7-r1                         >= 4.3.8

38

    -------------------------------------------------------------------

39

     3 affected packages on all of their supported architectures.

40

    -------------------------------------------------------------------

41

42

Description

43

===========

44

45

Several security vulnerabilities were found and fixed in version 4.3.8

46

of PHP. The strip_tags() function, used to sanitize user input, could

47

in certain cases allow tags containing \0 characters (CAN-2004-0595).

48

When memory_limit is used, PHP might unsafely interrupt other functions

49

(CAN-2004-0594). The ftok and itpc functions were missing safe_mode

50

checks. It was possible to bypass open_basedir restrictions using

51

MySQL's LOAD DATA LOCAL function. Furthermore, the IMAP extension was

52

incorrectly allocating memory and alloca() calls were replaced with

53

emalloc() for better stack protection.

54

55

Impact

56

======

57

58

Successfully exploited, the memory_limit problem could allow remote

59

excution of arbitrary code. By exploiting the strip_tags vulnerability,

60

it is possible to pass HTML code that would be considered as valid tags

61

by the Microsoft Internet Explorer and Safari browsers. Using ftok,

62

itpc or MySQL's LOAD DATA LOCAL, it is possible to bypass PHP

63

configuration restrictions.

64

65

Workaround

66

==========

67

68

There is no known workaround that would solve all these problems. All

69

users are encouraged to upgrade to the latest available versions.

70

71

Resolution

72

==========

73

74

All PHP, mod_php and php-cgi users should upgrade to the latest stable

75

version:

76

77

    # emerge sync

78

79

    # emerge -pv ">=dev-php/php-4.3.8"

80

    # emerge ">=dev-php/php-4.3.8"

81

82

    # emerge -pv ">=dev-php/mod_php-4.3.8"

83

    # emerge ">=dev-php/mod_php-4.3.8"

84

85

    # emerge -pv ">=dev-php/php-cgi-4.3.8"

86

    # emerge ">=dev-php/php-cgi-4.3.8"

87

88

References

89

==========

90

91

  [ 1 ] CAN-2004-0594

92

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0594

93

  [ 2 ] CAN-2004-0595

94

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0595

95

  [ 3 ] E-Matters Advisory 11/2004

96

        http://security.e-matters.de/advisories/112004.html

97

  [ 4 ] E-Matters Advisory 12/2004

98

        http://security.e-matters.de/advisories/122004.html

99

100

Availability

101

============

102

103

This GLSA and any updates to it are available for viewing at

104

the Gentoo Security Website:

105

106

    http://security.gentoo.org/glsa/glsa-200407-13.xml

107

108

Concerns?

109

=========

110

111

Security is a primary focus of Gentoo Linux and ensuring the

112

confidentiality and security of our users machines is of utmost

113

importance to us. Any security concerns should be addressed to

114

security@g.o or alternatively, you may file a bug at

115

http://bugs.gentoo.org.

116

117

License

118

=======

119

120

Copyright 2004 Gentoo Foundation, Inc; referenced text

121

belongs to its owner(s).

122

123

The contents of this document are licensed under the

124

Creative Commons - Attribution / Share Alike license.

125

126

http://creativecommons.org/licenses/by-sa/1.0

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 200407-13
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: High
8	Title: PHP: Multiple security vulnerabilities
9	Date: July 15, 2004
10	Bugs: #56985
11	ID: 200407-13
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Multiple security vulnerabilities, potentially allowing remote code
19	execution, were found and fixed in PHP.
20
21	Background
22	==========
23
24	PHP is a general-purpose scripting language widely used to develop
25	web-based applications. It can run inside a web server using the
26	mod_php module or the CGI version of PHP, or can run stand-alone in a
27	CLI.
28
29	Affected packages
30	=================
31
32	-------------------------------------------------------------------
33	Package / Vulnerable / Unaffected
34	-------------------------------------------------------------------
35	1 dev-php/php <= 4.3.7-r1 >= 4.3.8
36	2 dev-php/mod_php <= 4.3.7-r1 >= 4.3.8
37	3 dev-php/php-cgi <= 4.3.7-r1 >= 4.3.8
38	-------------------------------------------------------------------
39	3 affected packages on all of their supported architectures.
40	-------------------------------------------------------------------
41
42	Description
43	===========
44
45	Several security vulnerabilities were found and fixed in version 4.3.8
46	of PHP. The strip_tags() function, used to sanitize user input, could
47	in certain cases allow tags containing \0 characters (CAN-2004-0595).
48	When memory_limit is used, PHP might unsafely interrupt other functions
49	(CAN-2004-0594). The ftok and itpc functions were missing safe_mode
50	checks. It was possible to bypass open_basedir restrictions using
51	MySQL's LOAD DATA LOCAL function. Furthermore, the IMAP extension was
52	incorrectly allocating memory and alloca() calls were replaced with
53	emalloc() for better stack protection.
54
55	Impact
56	======
57
58	Successfully exploited, the memory_limit problem could allow remote
59	excution of arbitrary code. By exploiting the strip_tags vulnerability,
60	it is possible to pass HTML code that would be considered as valid tags
61	by the Microsoft Internet Explorer and Safari browsers. Using ftok,
62	itpc or MySQL's LOAD DATA LOCAL, it is possible to bypass PHP
63	configuration restrictions.
64
65	Workaround
66	==========
67
68	There is no known workaround that would solve all these problems. All
69	users are encouraged to upgrade to the latest available versions.
70
71	Resolution
72	==========
73
74	All PHP, mod_php and php-cgi users should upgrade to the latest stable
75	version:
76
77	# emerge sync
78
79	# emerge -pv ">=dev-php/php-4.3.8"
80	# emerge ">=dev-php/php-4.3.8"
81
82	# emerge -pv ">=dev-php/mod_php-4.3.8"
83	# emerge ">=dev-php/mod_php-4.3.8"
84
85	# emerge -pv ">=dev-php/php-cgi-4.3.8"
86	# emerge ">=dev-php/php-cgi-4.3.8"
87
88	References
89	==========
90
91	[ 1 ] CAN-2004-0594
92	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0594
93	[ 2 ] CAN-2004-0595
94	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0595
95	[ 3 ] E-Matters Advisory 11/2004
96	http://security.e-matters.de/advisories/112004.html
97	[ 4 ] E-Matters Advisory 12/2004
98	http://security.e-matters.de/advisories/122004.html
99
100	Availability
101	============
102
103	This GLSA and any updates to it are available for viewing at
104	the Gentoo Security Website:
105
106	http://security.gentoo.org/glsa/glsa-200407-13.xml
107
108	Concerns?
109	=========
110
111	Security is a primary focus of Gentoo Linux and ensuring the
112	confidentiality and security of our users machines is of utmost
113	importance to us. Any security concerns should be addressed to
114	security@g.o or alternatively, you may file a bug at
115	http://bugs.gentoo.org.
116
117	License
118	=======
119
120	Copyright 2004 Gentoo Foundation, Inc; referenced text
121	belongs to its owner(s).
122
123	The contents of this document are licensed under the
124	Creative Commons - Attribution / Share Alike license.
125
126	http://creativecommons.org/licenses/by-sa/1.0

Gentoo Archives: gentoo-announce