You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
132 lines
5.7 KiB
132 lines
5.7 KiB
<?xml version="1.0" encoding="utf-8"?>
|
|
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
|
|
<glsa id="200811-05">
|
|
<title>PHP: Multiple vulnerabilities</title>
|
|
<synopsis>
|
|
PHP contains several vulnerabilities including buffer and integer overflows
|
|
which could lead to the remote execution of arbitrary code.
|
|
</synopsis>
|
|
<product type="ebuild">php</product>
|
|
<announced>2008-11-16</announced>
|
|
<revised count="01">2008-11-16</revised>
|
|
<bug>209148</bug>
|
|
<bug>212211</bug>
|
|
<bug>215266</bug>
|
|
<bug>228369</bug>
|
|
<bug>230575</bug>
|
|
<bug>234102</bug>
|
|
<access>remote</access>
|
|
<affected>
|
|
<package name="dev-lang/php" auto="yes" arch="*">
|
|
<unaffected range="ge">5.2.6-r6</unaffected>
|
|
<vulnerable range="lt">5.2.6-r6</vulnerable>
|
|
</package>
|
|
</affected>
|
|
<background>
|
|
<p>
|
|
PHP is a widely-used general-purpose scripting language that is
|
|
especially suited for Web development and can be embedded into HTML.
|
|
</p>
|
|
</background>
|
|
<description>
|
|
<p>
|
|
Several vulnerabilitites were found in PHP:
|
|
</p>
|
|
<ul>
|
|
<li>PHP ships a
|
|
vulnerable version of the PCRE library which allows for the
|
|
circumvention of security restrictions or even for remote code
|
|
execution in case of an application which accepts user-supplied regular
|
|
expressions (CVE-2008-0674).</li>
|
|
<li>Multiple crash issues in several
|
|
PHP functions have been discovered.</li>
|
|
<li>Ryan Permeh reported that
|
|
the init_request_info() function in sapi/cgi/cgi_main.c does not
|
|
properly consider operator precedence when calculating the length of
|
|
PATH_TRANSLATED (CVE-2008-0599).</li>
|
|
<li>An off-by-one error in the
|
|
metaphone() function may lead to memory corruption.</li>
|
|
<li>Maksymilian Arciemowicz of SecurityReason Research reported an
|
|
integer overflow, which is triggerable using printf() and related
|
|
functions (CVE-2008-1384).</li>
|
|
<li>Andrei Nigmatulin reported a
|
|
stack-based buffer overflow in the FastCGI SAPI, which has unknown
|
|
attack vectors (CVE-2008-2050).</li>
|
|
<li>Stefan Esser reported that PHP
|
|
does not correctly handle multibyte characters inside the
|
|
escapeshellcmd() function, which is used to sanitize user input before
|
|
its usage in shell commands (CVE-2008-2051).</li>
|
|
<li>Stefan Esser
|
|
reported that a short-coming in PHP's algorithm of seeding the random
|
|
number generator might allow for predictible random numbers
|
|
(CVE-2008-2107, CVE-2008-2108).</li>
|
|
<li>The IMAP extension in PHP uses
|
|
obsolete c-client API calls making it vulnerable to buffer overflows as
|
|
no bounds checking can be done (CVE-2008-2829).</li>
|
|
<li>Tavis Ormandy
|
|
reported a heap-based buffer overflow in pcre_compile.c in the PCRE
|
|
version shipped by PHP when processing user-supplied regular
|
|
expressions (CVE-2008-2371).</li>
|
|
<li>CzechSec reported that specially
|
|
crafted font files can lead to an overflow in the imageloadfont()
|
|
function in ext/gd/gd.c, which is part of the GD extension
|
|
(CVE-2008-3658).</li>
|
|
<li>Maksymilian Arciemowicz of SecurityReason
|
|
Research reported that a design error in PHP's stream wrappers allows
|
|
to circumvent safe_mode checks in several filesystem-related PHP
|
|
functions (CVE-2008-2665, CVE-2008-2666).</li>
|
|
<li>Laurent Gaffie
|
|
discovered a buffer overflow in the internal memnstr() function, which
|
|
is used by the PHP function explode() (CVE-2008-3659).</li>
|
|
<li>An
|
|
error in the FastCGI SAPI when processing a request with multiple dots
|
|
preceding the extension (CVE-2008-3660).</li>
|
|
</ul>
|
|
</description>
|
|
<impact type="normal">
|
|
<p>
|
|
These vulnerabilities might allow a remote attacker to execute
|
|
arbitrary code, to cause a Denial of Service, to circumvent security
|
|
restrictions, to disclose information, and to manipulate files.
|
|
</p>
|
|
</impact>
|
|
<workaround>
|
|
<p>
|
|
There is no known workaround at this time.
|
|
</p>
|
|
</workaround>
|
|
<resolution>
|
|
<p>
|
|
All PHP users should upgrade to the latest version:
|
|
</p>
|
|
<code>
|
|
# emerge --sync
|
|
# emerge --ask --oneshot --verbose ">=dev-lang/php-5.2.6-r6"</code>
|
|
</resolution>
|
|
<references>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0599">CVE-2008-0599</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0674">CVE-2008-0674</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1384">CVE-2008-1384</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2050">CVE-2008-2050</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2051">CVE-2008-2051</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2107">CVE-2008-2107</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2108">CVE-2008-2108</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2371">CVE-2008-2371</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2665">CVE-2008-2665</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2666">CVE-2008-2666</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2829">CVE-2008-2829</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3658">CVE-2008-3658</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3659">CVE-2008-3659</uri>
|
|
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3660">CVE-2008-3660</uri>
|
|
</references>
|
|
<metadata tag="requester" timestamp="2008-03-17T01:12:26Z">
|
|
rbu
|
|
</metadata>
|
|
<metadata tag="submitter" timestamp="2008-11-10T18:29:08Z">
|
|
keytoaster
|
|
</metadata>
|
|
<metadata tag="bugReady" timestamp="2008-11-16T16:06:26Z">
|
|
keytoaster
|
|
</metadata>
|
|
</glsa>
|