http://docs.info.apple.com/article.html?artnum=306172

APPLE-SA-2007-07-31

24542

25056

25057

25445

26235

GLSA-200705-19

http://us2.php.net/releases/4_4_7.php

http://us2.php.net/releases/5_2_2.php

SUSE-SA:2007:032

http://www.php-security.org/MOPB/MOPB-24-2007.html

22990

25159

USN-455-1

ADV-2007-2732

This Update fixes numerous vulnerabilities in PHP. Most of them were made public during the 'Month of PHP Bugs'. The vulnerabilities potentially lead to crashes, information leaks or even execution of malicious code.

CVE-2007-1380 / CVE-2007-0988 / CVE-2007-1375 / CVE-2007-1521 / CVE-2007-1376 / CVE-2007-1583 / CVE-2007-1461 / CVE-2007-1484 / CVE-2007-1700 / CVE-2007-1717 / CVE-2007-1718 / CVE-2007-1001 / CVE-2007-1824

Stefan Esser discovered multiple vulnerabilities in the 'Month of PHP bugs'.

The substr_compare() function did not sufficiently verify its length argument. This might be exploited to read otherwise unaccessible memory, which might lead to information disclosure. (CVE-2007-1375)

The shared memory (shmop) functions did not verify resource types, thus they could be called with a wrong resource type that might contain user-supplied data. This could be exploited to read and write arbitrary memory addresses of the PHP interpreter. This issue does not affect Ubuntu 7.04. (CVE-2007-1376)

The php_binary handler of the session extension was missing a boundary check. When unserializing overly long variable names this could be exploited to read up to 126 bytes of memory, which might lead to information disclosure. (CVE-2007-1380)

The internal array_user_key_compare() function, as used for example by the PHP function uksort(), incorrectly handled memory unreferencing of its arguments. This could have been exploited to execute arbitrary code with the privileges of the PHP interpreter, and thus circumventing any disable_functions, open_basedir, or safe_mode restrictions. (CVE-2007-1484)

The session_regenerate_id() function did not properly clean up the former session identifier variable. This could be exploited to crash the PHP interpreter, possibly also remotely. (CVE-2007-1521)

Under certain conditions the mb_parse_str() could cause the register_globals configuration option to become permanently enabled.
This opened an attack vector for a large and common class of vulnerabilities. (CVE-2007-1583)

The session extension did not set the correct reference count value for the session variables. By unsetting _SESSION and HTTP_SESSION_VARS (or tricking a PHP script into doing that) this could be exploited to execute arbitrary code with the privileges of the PHP interpreter.
This issue does not affect Ubuntu 7.04. (CVE-2007-1700)

The mail() function did not correctly escape control characters in multiline email headers. This could be remotely exploited to inject arbitrary email headers. (CVE-2007-1718)

The php_stream_filter_create() function had an off-by-one buffer overflow in the handling of wildcards. This could be exploited to remotely crash the PHP interpreter. This issue does not affect Ubuntu 7.04. (CVE-2007-1824)

When calling the sqlite_udf_decode_binary() with special arguments, a buffer overflow happened. Depending on the application this could be locally or remotely exploited to execute arbitrary code with the privileges of the PHP interpreter. (CVE-2007-1887 CVE-2007-1888)

The FILTER_VALIDATE_EMAIL filter extension used a wrong regular expression that allowed injecting a newline character at the end of the email string. This could be exploited to inject arbitrary email headers. This issue only affects Ubuntu 7.04. (CVE-2007-1900).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This Update fixes numerous vulnerabilities in PHP. Most of them were made public during the 'Month of PHP Bugs'. The vulnerabilities potentially lead to crashes, information leaks or even execution of malicious code.

CVE-2007-1380, CVE-2007-0988, CVE-2007-1375, CVE-2007-1454 CVE-2007-1453, CVE-2007-1521, CVE-2007-1522, CVE-2007-1376 CVE-2007-1583, CVE-2007-1460, CVE-2007-1461, CVE-2007-1484 CVE-2007-1700, CVE-2007-1717, CVE-2007-1718, CVE-2007-1001 CVE-2007-1824, CVE-2007-1889, CVE-2007-1900

The remote host is affected by the vulnerability described in GLSA-200705-19 (PHP: Multiple vulnerabilities)

    Several vulnerabilities were found in PHP, most of them during the     Month Of PHP Bugs (MOPB) by Stefan Esser. The most severe of these     vulnerabilities are integer overflows in wbmp.c from the GD library     (CVE-2007-1001) and in the substr_compare() PHP 5 function     (CVE-2007-1375). Ilia Alshanetsky also reported a buffer overflow in     the make_http_soap_request() and in the user_filter_factory_create()     functions (CVE-2007-2510, CVE-2007-2511), and Stanislav Malyshev     discovered another buffer overflow in the bundled XMLRPC library     (CVE-2007-1864). Additionally, the session_regenerate_id() and the     array_user_key_compare() functions contain a double-free vulnerability     (CVE-2007-1484, CVE-2007-1521). Finally, there exist implementation     errors in the Zend engine, in the mb_parse_str(), the unserialize() and     the mail() functions and other elements.
  Impact :

    Remote attackers might be able to exploit these issues in PHP     applications making use of the affected functions, potentially     resulting in the execution of arbitrary code, Denial of Service,     execution of scripted contents in the context of the affected site,     security bypass or information leak.
  Workaround :

    There is no known workaround at this time.

According to its banner, the version of PHP installed on the remote host is older than 4.4.7 / 5.2.2.  Such versions may be affected by several issues, including buffer overflows in the GD library.

ID	Name	Product	Family	Severity
29378	SuSE 10 Security Update : PHP5 (ZYPP Patch Number 3290)	Nessus	SuSE Local Security Checks	high
28053	Ubuntu 6.06 LTS / 6.10 / 7.04 : php5 vulnerabilities (USN-455-1)	Nessus	Ubuntu Local Security Checks	high
27150	openSUSE 10 Security Update : apache2-mod_php5 (apache2-mod_php5-3289)	Nessus	SuSE Local Security Checks	high
25340	GLSA-200705-19 : PHP: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
25159	PHP < 4.4.7 / 5.2.2 Multiple Vulnerabilities	Nessus	CGI abuses	high

CVE-2007-1484

MEDIUM

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Tenable Plugins

high

high

high

high

high