news 28 Posted January 22, 2009 This is a multi-part message in MIME format... ------------=_1232582419-14940-7755 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2009:023 http://www.mandriva.com/security/ _______________________________________________________________________ Package : php Date : January 21, 2009 Affected: Corporate 4.0 _______________________________________________________________________ Problem Description: A vulnerability in PHP allowed context-dependent attackers to cause a denial of service (crash) via a certain long string in the glob() or fnmatch() functions (CVE-2007-4782). A vulnerability in the cURL library in PHP allowed context-dependent attackers to bypass safe_mode and open_basedir restrictions and read arbitrary files using a special URL request (CVE-2007-4850). An integer overflow in PHP allowed context-dependent attackers to cause a denial of serivce via a special printf() format parameter (CVE-2008-1384). A stack-based buffer overflow in the FastCGI SAPI in PHP has unknown impact and attack vectors (CVE-2008-2050). Tavis Ormandy of the Google Security Team discovered a heap-based buffer overflow when compiling certain regular expression patterns. This could be used by a malicious attacker by sending a specially crafted regular expression to an application using the PCRE library, resulting in the possible execution of arbitrary code or a denial of service (CVE-2008-2371). PHP in Corporate Server 4.0 is affected by this issue. A buffer overflow in the imageloadfont() function in PHP allowed context-dependent attackers to cause a denial of service (crash) and potentially execute arbitrary code via a crafted font file (CVE-2008-3658). A buffer overflow in the memnstr() function allowed context-dependent attackers to cause a denial of service (crash) and potentially execute arbitrary code via the delimiter argument to the explode() function (CVE-2008-3659). PHP, when used as a FastCGI module, allowed remote attackers to cause a denial of service (crash) via a request with multiple dots preceding the extension (CVE-2008-3660). An array index error in the imageRotate() function in PHP allowed context-dependent attackers to read the contents of arbitrary memory locations via a crafted value of the third argument to the function for an indexed image (CVE-2008-5498). The updated packages have been patched to correct these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4782 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4850 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1384 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2050 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2371 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3658 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3659 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3660 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5498 _______________________________________________________________________ Updated Packages: Corporate 4.0: d55d5489013a1f9e95262571a5ef2979 corporate/4.0/i586/libphp5_common5-5.1.6-1.10.20060mlcs4.i586.rpm 8701a5ab0e71009171216ccda307e547 corporate/4.0/i586/php-cgi-5.1.6-1.10.20060mlcs4.i586.rpm d3e8b97d03ccd01127a1aeb9e17d3d7e corporate/4.0/i586/php-cli-5.1.6-1.10.20060mlcs4.i586.rpm 6e0aa2965637f3dbc25cff1d5064bb8c corporate/4.0/i586/php-curl-5.1.6-1.1.20060mlcs4.i586.rpm 0458b8aa8daa0e39cd329761eae9d654 corporate/4.0/i586/php-devel-5.1.6-1.10.20060mlcs4.i586.rpm 89487acc8fa77864d25e5aebc40bc9b4 corporate/4.0/i586/php-fcgi-5.1.6-1.10.20060mlcs4.i586.rpm bf404efb4e9567f431256d36833fc8d6 corporate/4.0/i586/php-pcre-5.1.6-1.1.20060mlcs4.i586.rpm c62fb74e0d8744077e4c8ff6f50df98b corporate/4.0/SRPMS/php-5.1.6-1.10.20060mlcs4.src.rpm e46cf717872ddfbf6a13f6d45d225533 corporate/4.0/SRPMS/php-curl-5.1.6-1.1.20060mlcs4.src.rpm b188d26d6a781b5066d515ed5ae36ace corporate/4.0/SRPMS/php-pcre-5.1.6-1.1.20060mlcs4.src.rpm Corporate 4.0/X86_64: 70d99222e5692b2fd88fcb05f8f5e620 corporate/4.0/x86_64/lib64php5_common5-5.1.6-1.10.20060mlcs4.x86_64.rpm 62448b1b344cdc098b6620e0e773ef17 corporate/4.0/x86_64/php-cgi-5.1.6-1.10.20060mlcs4.x86_64.rpm dc0df43cfe80f4b5017924152d43a91f corporate/4.0/x86_64/php-cli-5.1.6-1.10.20060mlcs4.x86_64.rpm 9ac37cd014c4012a964e65cbe9d1b01a corporate/4.0/x86_64/php-curl-5.1.6-1.1.20060mlcs4.x86_64.rpm 6ac51f6b50172ee6d5eb36ce8b8cba77 corporate/4.0/x86_64/php-devel-5.1.6-1.10.20060mlcs4.x86_64.rpm ab26bfe0c8370bd2bf37205cbc1df63b corporate/4.0/x86_64/php-fcgi-5.1.6-1.10.20060mlcs4.x86_64.rpm e570ffbbd17e30630e7f14a67b57cffd corporate/4.0/x86_64/php-pcre-5.1.6-1.1.20060mlcs4.x86_64.rpm c62fb74e0d8744077e4c8ff6f50df98b corporate/4.0/SRPMS/php-5.1.6-1.10.20060mlcs4.src.rpm e46cf717872ddfbf6a13f6d45d225533 corporate/4.0/SRPMS/php-curl-5.1.6-1.1.20060mlcs4.src.rpm b188d26d6a781b5066d515ed5ae36ace corporate/4.0/SRPMS/php-pcre-5.1.6-1.1.20060mlcs4.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFJd4y5mqjQ0CJFipgRAlpVAJ4oOl0atBrwZTu5WA3RvdNxzIDroACgi+UH 4tzIz9f+JcmDA5Q469nYg5M= =804z -----END PGP SIGNATURE----- ------------=_1232582419-14940-7755 Content-Type: text/plain; name="message-footer.txt" Content-Disposition: inline; filename="message-footer.txt" Content-Transfer-Encoding: 8bit To unsubscribe, send a email to sympa ( -at -) mandrivalinux.org with this subject : unsubscribe security-announce _______________________________________________________ Want to buy your Pack or Services from Mandriva? Go to http://www.mandrivastore.com Join the Club : http://www.mandrivaclub.com _______________________________________________________ ------------=_1232582419-14940-7755-- Share this post Link to post