summaryrefslogtreecommitdiff
blob: 3da6532a71e347bff22922d7792ebcc8fa604b7e (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">

<glsa id="200811-05">
  <title>PHP: Multiple vulnerabilities</title>
  <synopsis>
    PHP contains several vulnerabilities including buffer and integer overflows
    which could lead to the remote execution of arbitrary code.
  </synopsis>
  <product type="ebuild">php</product>
  <announced>November 16, 2008</announced>
  <revised>November 16, 2008: 01</revised>
  <bug>209148</bug>
  <bug>212211</bug>
  <bug>215266</bug>
  <bug>228369</bug>
  <bug>230575</bug>
  <bug>234102</bug>
  <access>remote</access>
  <affected>
    <package name="dev-lang/php" auto="yes" arch="*">
      <unaffected range="ge">5.2.6-r6</unaffected>
      <vulnerable range="lt">5.2.6-r6</vulnerable>
    </package>
  </affected>
  <background>
    <p>
    PHP is a widely-used general-purpose scripting language that is
    especially suited for Web development and can be embedded into HTML.
    </p>
  </background>
  <description>
    <p>
    Several vulnerabilitites were found in PHP:
    </p>
    <ul>
    <li>PHP ships a
    vulnerable version of the PCRE library which allows for the
    circumvention of security restrictions or even for remote code
    execution in case of an application which accepts user-supplied regular
    expressions (CVE-2008-0674).</li>
    <li>Multiple crash issues in several
    PHP functions have been discovered.</li>
    <li>Ryan Permeh reported that
    the init_request_info() function in sapi/cgi/cgi_main.c does not
    properly consider operator precedence when calculating the length of
    PATH_TRANSLATED (CVE-2008-0599).</li>
    <li>An off-by-one error in the
    metaphone() function may lead to memory corruption.</li>
    <li>Maksymilian Arciemowicz of SecurityReason Research reported an
    integer overflow, which is triggerable using printf() and related
    functions (CVE-2008-1384).</li>
    <li>Andrei Nigmatulin reported a
    stack-based buffer overflow in the FastCGI SAPI, which has unknown
    attack vectors (CVE-2008-2050).</li>
    <li>Stefan Esser reported that PHP
    does not correctly handle multibyte characters inside the
    escapeshellcmd() function, which is used to sanitize user input before
    its usage in shell commands (CVE-2008-2051).</li>
    <li>Stefan Esser
    reported that a short-coming in PHP's algorithm of seeding the random
    number generator might allow for predictible random numbers
    (CVE-2008-2107, CVE-2008-2108).</li>
    <li>The IMAP extension in PHP uses
    obsolete c-client API calls making it vulnerable to buffer overflows as
    no bounds checking can be done (CVE-2008-2829).</li>
    <li>Tavis Ormandy
    reported a heap-based buffer overflow in pcre_compile.c in the PCRE
    version shipped by PHP when processing user-supplied regular
    expressions (CVE-2008-2371).</li>
    <li>CzechSec reported that specially
    crafted font files can lead to an overflow in the imageloadfont()
    function in ext/gd/gd.c, which is part of the GD extension
    (CVE-2008-3658).</li>
    <li>Maksymilian Arciemowicz of SecurityReason
    Research reported that a design error in PHP's stream wrappers allows
    to circumvent safe_mode checks in several filesystem-related PHP
    functions (CVE-2008-2665, CVE-2008-2666).</li>
    <li>Laurent Gaffie
    discovered a buffer overflow in the internal memnstr() function, which
    is used by the PHP function explode() (CVE-2008-3659).</li>
    <li>An
    error in the FastCGI SAPI when processing a request with multiple dots
    preceding the extension (CVE-2008-3660).</li>
    </ul>
  </description>
  <impact type="normal">
    <p>
    These vulnerabilities might allow a remote attacker to execute
    arbitrary code, to cause a Denial of Service, to circumvent security
    restrictions, to disclose information, and to manipulate files.
    </p>
  </impact>
  <workaround>
    <p>
    There is no known workaround at this time.
    </p>
  </workaround>
  <resolution>
    <p>
    All PHP users should upgrade to the latest version:
    </p>
    <code>
    # emerge --sync
    # emerge --ask --oneshot --verbose &quot;&gt;=dev-lang/php-5.2.6-r6&quot;</code>
  </resolution>
  <references>
    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0599">CVE-2008-0599</uri>
    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0674">CVE-2008-0674</uri>
    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1384">CVE-2008-1384</uri>
    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2050">CVE-2008-2050</uri>
    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2051">CVE-2008-2051</uri>
    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2107">CVE-2008-2107</uri>
    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2108">CVE-2008-2108</uri>
    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2371">CVE-2008-2371</uri>
    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2665">CVE-2008-2665</uri>
    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2666">CVE-2008-2666</uri>
    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2829">CVE-2008-2829</uri>
    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3658">CVE-2008-3658</uri>
    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3659">CVE-2008-3659</uri>
    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3660">CVE-2008-3660</uri>
  </references>
  <metadata tag="requester" timestamp="Mon, 17 Mar 2008 01:12:26 +0000">
    rbu
  </metadata>
  <metadata tag="submitter" timestamp="Mon, 10 Nov 2008 18:29:08 +0000">
    keytoaster
  </metadata>
  <metadata tag="bugReady" timestamp="Sun, 16 Nov 2008 16:06:26 +0000">
    keytoaster
  </metadata>
</glsa>