GLSA-200412-14 : PHP: Multiple vulnerabilities

This script is Copyright (C) 2004-2014 Tenable Network Security, Inc.


Synopsis :

The remote Gentoo host is missing one or more security-related
patches.

Description :

The remote host is affected by the vulnerability described in GLSA-200412-14
(PHP: Multiple vulnerabilities)

Stefan Esser and Marcus Boerger reported several different issues in
the unserialize() function, including serious exploitable bugs in the
way it handles negative references (CAN-2004-1019).
Stefan Esser also discovered that the pack() and unpack() functions are
subject to integer overflows that can lead to a heap buffer overflow
and a heap information leak. Finally, he found that the way
multithreaded PHP handles safe_mode_exec_dir restrictions can be
bypassed, and that various path truncation issues also allow to bypass
path and safe_mode restrictions.
Ilia Alshanetsky found a stack overflow issue in the exif_read_data()
function (CAN-2004-1065). Finally, Daniel Fabian found that addslashes
and magic_quotes_gpc do not properly escape null characters and that
magic_quotes_gpc contains a bug that could lead to one level directory
traversal.

Impact :

These issues could be exploited by a remote attacker to retrieve web
server heap information, bypass safe_mode or path restrictions and
potentially execute arbitrary code with the rights of the web server
running a PHP application.

Workaround :

There is no known workaround at this time.

See also :

http://www.php.net/release_4_3_10.php
http://www.hardened-php.net/advisories/012004.txt
http://www.securityfocus.com/archive/1/384663/2004-12-15/2004-12-21/0
http://www.gentoo.org/security/en/glsa/glsa-200412-14.xml

Solution :

All PHP users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose '>=dev-php/php-4.3.10'
All mod_php users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose '>=dev-php/mod_php-4.3.10'
All php-cgi users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose '>=dev-php/php-cgi-4.3.10'

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

Family: Gentoo Local Security Checks

Nessus Plugin ID: 16001 (gentoo_GLSA-200412-14.nasl)

Bugtraq ID:

CVE ID: CVE-2004-1019
CVE-2004-1020
CVE-2004-1063
CVE-2004-1064
CVE-2004-1065