Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 / 9.10 : php5 vulnerabilities (USN-862-1)

Ubuntu Security Notice (C) 2009-2014 Canonical, Inc. / NASL script (C) 2009-2014 Tenable Network Security, Inc.


Synopsis :

The remote Ubuntu host is missing one or more security-related patches.

Description :

Maksymilian Arciemowicz discovered that PHP did not properly validate
arguments to the dba_replace function. If a script passed untrusted
input to the dba_replace function, an attacker could truncate the
database. This issue only applied to Ubuntu 6.06 LTS, 8.04 LTS, and
8.10. (CVE-2008-7068)

It was discovered that PHP's php_openssl_apply_verification_policy
function did not correctly handle SSL certificates with zero bytes in
the Common Name. A remote attacker could exploit this to perform a man
in the middle attack to view sensitive information or alter encrypted
communications. (CVE-2009-3291)

It was discovered that PHP did not properly handle certain malformed
images when being parsed by the Exif module. A remote attacker could
exploit this flaw and cause the PHP server to crash, resulting in a
denial of service. (CVE-2009-3292)

Grzegorz Stachowiak discovered that PHP did not properly enforce
restrictions in the tempnam function. An attacker could exploit this
issue to bypass safe_mode restrictions. (CVE-2009-3557)

Grzegorz Stachowiak discovered that PHP did not properly enforce
restrictions in the posix_mkfifo function. An attacker could exploit
this issue to bypass open_basedir restrictions. (CVE-2009-3558)

Bogdan Calin discovered that PHP did not limit the number of temporary
files created when handling multipart/form-data POST requests. A
remote attacker could exploit this flaw and cause the PHP server to
consume all available resources, resulting in a denial of service.
(CVE-2009-4017)

ATTENTION: This update changes previous PHP behaviour by limiting the
number of files in a POST request to 50. This may be increased by
adding a 'max_file_uploads' directive to the php.ini configuration
file.

It was discovered that PHP did not properly enforce restrictions in
the proc_open function. An attacker could exploit this issue to bypass
safe_mode_protected_env_vars restrictions and possibly execute
arbitrary code with application privileges. (CVE-2009-4018).

Solution :

Update the affected packages.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 6.2
(CVSS2#E:F/RL:OF/RC:C)
Public Exploit Available : true

Family: Ubuntu Local Security Checks

Nessus Plugin ID: 42930 ()

Bugtraq ID: 36449
37079
37138

CVE ID: CVE-2008-7068
CVE-2009-3291
CVE-2009-3292
CVE-2009-3557
CVE-2009-3558
CVE-2009-4017
CVE-2009-4018