news 28 Posted November 16, 2008 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200811-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: PHP: Multiple vulnerabilities Date: November 16, 2008 Bugs: #209148, #212211, #215266, #228369, #230575, #234102 ID: 200811-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== PHP contains several vulnerabilities including buffer and integer overflows which could lead to the remote execution of arbitrary code. Background ========== PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-lang/php < 5.2.6-r6 >= 5.2.6-r6 Description =========== Several vulnerabilitites were found in PHP: * PHP ships a vulnerable version of the PCRE library which allows for the circumvention of security restrictions or even for remote code execution in case of an application which accepts user-supplied regular expressions (CVE-2008-0674). * Multiple crash issues in several PHP functions have been discovered. * Ryan Permeh reported that the init_request_info() function in sapi/cgi/cgi_main.c does not properly consider operator precedence when calculating the length of PATH_TRANSLATED (CVE-2008-0599). * An off-by-one error in the metaphone() function may lead to memory corruption. * Maksymilian Arciemowicz of SecurityReason Research reported an integer overflow, which is triggerable using printf() and related functions (CVE-2008-1384). * Andrei Nigmatulin reported a stack-based buffer overflow in the FastCGI SAPI, which has unknown attack vectors (CVE-2008-2050). * Stefan Esser reported that PHP does not correctly handle multibyte characters inside the escapeshellcmd() function, which is used to sanitize user input before its usage in shell commands (CVE-2008-2051). * Stefan Esser reported that a short-coming in PHP's algorithm of seeding the random number generator might allow for predictible random numbers (CVE-2008-2107, CVE-2008-2108). * The IMAP extension in PHP uses obsolete c-client API calls making it vulnerable to buffer overflows as no bounds checking can be done (CVE-2008-2829). * Tavis Ormandy reported a heap-based buffer overflow in pcre_compile.c in the PCRE version shipped by PHP when processing user-supplied regular expressions (CVE-2008-2371). * CzechSec reported that specially crafted font files can lead to an overflow in the imageloadfont() function in ext/gd/gd.c, which is part of the GD extension (CVE-2008-3658). * Maksymilian Arciemowicz of SecurityReason Research reported that a design error in PHP's stream wrappers allows to circumvent safe_mode checks in several filesystem-related PHP functions (CVE-2008-2665, CVE-2008-2666). * Laurent Gaffie discovered a buffer overflow in the internal memnstr() function, which is used by the PHP function explode() (CVE-2008-3659). * An error in the FastCGI SAPI when processing a request with multiple dots preceding the extension (CVE-2008-3660). Impact ====== These vulnerabilities might allow a remote attacker to execute arbitrary code, to cause a Denial of Service, to circumvent security restrictions, to disclose information, and to manipulate files. Workaround ========== There is no known workaround at this time. Resolution ========== All PHP users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-lang/php-5.2.6-r6" References ========== [ 1 ] CVE-2008-0599 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0599 [ 2 ] CVE-2008-0674 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0674 [ 3 ] CVE-2008-1384 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1384 [ 4 ] CVE-2008-2050 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2050 [ 5 ] CVE-2008-2051 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2051 [ 6 ] CVE-2008-2107 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2107 [ 7 ] CVE-2008-2108 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2108 [ 8 ] CVE-2008-2371 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2371 [ 9 ] CVE-2008-2665 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2665 [ 10 ] CVE-2008-2666 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2666 [ 11 ] CVE-2008-2829 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2829 [ 12 ] CVE-2008-3658 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3658 [ 13 ] CVE-2008-3659 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3659 [ 14 ] CVE-2008-3660 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3660 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200811-05.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security ( -at -) gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 Share this post Link to post