Ubuntu 8.04 LTS / 10.04 LTS / 10.10 / 11.04 / 11.10 : php5 regression (USN-1358-2)

Ubuntu Security Notice (C) 2012-2014 Canonical, Inc. / NASL script (C) 2012-2014 Tenable Network Security, Inc.


Synopsis :

The remote Ubuntu host is missing one or more security-related patches.

Description :

USN 1358-1 fixed multiple vulnerabilities in PHP. The fix for
CVE-2012-0831 introduced a regression where the state of the
magic_quotes_gpc setting was not correctly reflected when calling the
ini_get() function.

We apologize for the inconvenience.

It was discovered that PHP computed hash values for form parameters
without restricting the ability to trigger hash collisions
predictably. This could allow a remote attacker to cause a denial of
service by sending many crafted parameters. (CVE-2011-4885)

ATTENTION: this update changes previous PHP behavior by
limiting the number of external input variables to 1000.
This may be increased by adding a 'max_input_vars' directive
to the php.ini configuration file. See
http://www.php.net/manual/en/info.configuration.php#ini.max-
input-vars for more information.

Stefan Esser discovered that the fix to address the
predictable hash collision issue, CVE-2011-4885, did not
properly handle the situation where the limit was reached.
This could allow a remote attacker to cause a denial of
service or execute arbitrary code via a request containing a
large number of variables. (CVE-2012-0830)

It was discovered that PHP did not always check the return
value of the zend_strndup function. This could allow a
remote attacker to cause a denial of service.
(CVE-2011-4153)

It was discovered that PHP did not properly enforce libxslt
security settings. This could allow a remote attacker to
create arbitrary files via a crafted XSLT stylesheet that
uses the libxslt output extension. (CVE-2012-0057)

It was discovered that PHP did not properly enforce that
PDORow objects could not be serialized and not be saved in a
session. A remote attacker could use this to cause a denial
of service via an application crash. (CVE-2012-0788)

It was discovered that PHP allowed the magic_quotes_gpc
setting to be disabled remotely. This could allow a remote
attacker to bypass restrictions that could prevent a SQL
injection. (CVE-2012-0831)

USN 1126-1 addressed an issue where the /etc/cron.d/php5
cron job for PHP allowed local users to delete arbitrary
files via a symlink attack on a directory under
/var/lib/php5/. Emese Revfy discovered that the fix had not
been applied to PHP for Ubuntu 10.04 LTS. This update
corrects the issue. We apologize for the error.
(CVE-2011-0441).

Solution :

Update the affected packages.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
Public Exploit Available : true

Family: Ubuntu Local Security Checks

Nessus Plugin ID: 57932 ()

Bugtraq ID:

CVE ID: CVE-2011-0441
CVE-2011-4153
CVE-2011-4885
CVE-2012-0057
CVE-2012-0788
CVE-2012-0830
CVE-2012-0831