http://bugs.php.net/bug.php?id=27421

SUSE-SR:2009:008

34642

34830

35003

35007

35306

DSA-1789

[oss-security] 20090130 CVE Request - php (PHP BZ#27421)

[oss-security] 20090203 Re: CVE Request - php (PHP BZ#27421)

[oss-security] 20090225 Re: CVE Request - php (PHP BZ#27421)

RHSA-2009:0350

1021979

oval:org.mitre.oval:def:11035

USN-761-1

FEDORA-2009-3768

FEDORA-2009-3848

From Red Hat Security Advisory 2009:0338 :

Updated php packages that fix several security issues are now available for Red Hat Enterprise Linux 5.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server.

A heap-based buffer overflow flaw was found in PHP's mbstring extension. A remote attacker able to pass arbitrary input to a PHP script using mbstring conversion functions could cause the PHP interpreter to crash or, possibly, execute arbitrary code.
(CVE-2008-5557)

A flaw was found in the handling of the 'mbstring.func_overload' configuration setting. A value set for one virtual host, or in a user's .htaccess file, was incorrectly applied to other virtual hosts on the same server, causing the handling of multibyte character strings to not work correctly. (CVE-2009-0754)

A buffer overflow flaw was found in PHP's imageloadfont function. If a PHP script allowed a remote attacker to load a carefully crafted font file, it could cause the PHP interpreter to crash or, possibly, execute arbitrary code. (CVE-2008-3658)

A flaw was found in the way PHP handled certain file extensions when running in FastCGI mode. If the PHP interpreter was being executed via FastCGI, a remote attacker could create a request which would cause the PHP interpreter to crash. (CVE-2008-3660)

A memory disclosure flaw was found in the PHP gd extension's imagerotate function. A remote attacker able to pass arbitrary values as the 'background color' argument of the function could, possibly, view portions of the PHP interpreter's memory. (CVE-2008-5498)

A cross-site scripting flaw was found in a way PHP reported errors for invalid cookies. If the PHP interpreter had 'display_errors' enabled, a remote attacker able to set a specially crafted cookie on a victim's system could possibly inject arbitrary HTML into an error message generated by PHP. (CVE-2008-5814)

All php users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. The httpd web server must be restarted for the changes to take effect.

From Red Hat Security Advisory 2009:0337 :

Updated php packages that fix several security issues are now available for Red Hat Enterprise Linux 3 and 4.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server.

A heap-based buffer overflow flaw was found in PHP's mbstring extension. A remote attacker able to pass arbitrary input to a PHP script using mbstring conversion functions could cause the PHP interpreter to crash or, possibly, execute arbitrary code.
(CVE-2008-5557)

A flaw was found in the handling of the 'mbstring.func_overload' configuration setting. A value set for one virtual host, or in a user's .htaccess file, was incorrectly applied to other virtual hosts on the same server, causing the handling of multibyte character strings to not work correctly. (CVE-2009-0754)

A buffer overflow flaw was found in PHP's imageloadfont function. If a PHP script allowed a remote attacker to load a carefully crafted font file, it could cause the PHP interpreter to crash or, possibly, execute arbitrary code. (CVE-2008-3658)

A flaw was found in the way PHP handled certain file extensions when running in FastCGI mode. If the PHP interpreter was being executed via FastCGI, a remote attacker could create a request which would cause the PHP interpreter to crash. (CVE-2008-3660)

A memory disclosure flaw was found in the PHP gd extension's imagerotate function. A remote attacker able to pass arbitrary values as the 'background color' argument of the function could, possibly, view portions of the PHP interpreter's memory. (CVE-2008-5498)

All php users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. The httpd web server must be restarted for the changes to take effect.

A heap-based buffer overflow flaw was found in PHP's mbstring extension. A remote attacker able to pass arbitrary input to a PHP script using mbstring conversion functions could cause the PHP interpreter to crash or, possibly, execute arbitrary code.
(CVE-2008-5557)

A flaw was found in the handling of the 'mbstring.func_overload' configuration setting. A value set for one virtual host, or in a user's .htaccess file, was incorrectly applied to other virtual hosts on the same server, causing the handling of multibyte character strings to not work correctly. (CVE-2009-0754)

A buffer overflow flaw was found in PHP's imageloadfont function. If a PHP script allowed a remote attacker to load a carefully crafted font file, it could cause the PHP interpreter to crash or, possibly, execute arbitrary code. (CVE-2008-3658)

A flaw was found in the way PHP handled certain file extensions when running in FastCGI mode. If the PHP interpreter was being executed via FastCGI, a remote attacker could create a request which would cause the PHP interpreter to crash. (CVE-2008-3660)

A cross-site scripting flaw was found in a way PHP reported errors for invalid cookies. If the PHP interpreter had 'display_errors' enabled, a remote attacker able to set a specially crafted cookie on a victim's system could possibly inject arbitrary HTML into an error message generated by PHP. (CVE-2008-5814) - SL5 Only

A memory disclosure flaw was found in the PHP gd extension's imagerotate function. A remote attacker able to pass arbitrary values as the 'background color' argument of the function could, possibly, view portions of the PHP interpreter's memory. (CVE-2008-5498)

The httpd web server must be restarted for the changes to take effect.

The remote host is affected by the vulnerability described in GLSA-201001-03 (PHP: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in PHP. Please review the     CVE identifiers referenced below and the associated PHP release notes     for details.
  Impact :

    A context-dependent attacker could execute arbitrary code via a     specially crafted string containing an HTML entity when the mbstring     extension is enabled. Furthermore a remote attacker could execute     arbitrary code via a specially crafted GD graphics file.
    A remote attacker could also cause a Denial of Service via a malformed     string passed to the json_decode() function, via a specially crafted     ZIP file passed to the php_zip_make_relative_path() function, via a     malformed JPEG image passed to the exif_read_data() function, or via     temporary file exhaustion. It is also possible for an attacker to spoof     certificates, bypass various safe_mode and open_basedir restrictions     when certain criteria are met, perform Cross-site scripting attacks,     more easily perform SQL injection attacks, manipulate settings of other     virtual hosts on the same server via a malicious .htaccess entry when     running on Apache, disclose memory portions, and write arbitrary files     via a specially crafted ZIP archive. Some vulnerabilities with unknown     impact and attack vectors have been reported as well.
  Workaround :

    There is no known workaround at this time.

Updated php packages that fix several security issues are now available for Red Hat Enterprise Linux 5.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server.

A heap-based buffer overflow flaw was found in PHP's mbstring extension. A remote attacker able to pass arbitrary input to a PHP script using mbstring conversion functions could cause the PHP interpreter to crash or, possibly, execute arbitrary code.
(CVE-2008-5557)

A flaw was found in the handling of the 'mbstring.func_overload' configuration setting. A value set for one virtual host, or in a user's .htaccess file, was incorrectly applied to other virtual hosts on the same server, causing the handling of multibyte character strings to not work correctly. (CVE-2009-0754)

A buffer overflow flaw was found in PHP's imageloadfont function. If a PHP script allowed a remote attacker to load a carefully crafted font file, it could cause the PHP interpreter to crash or, possibly, execute arbitrary code. (CVE-2008-3658)

A flaw was found in the way PHP handled certain file extensions when running in FastCGI mode. If the PHP interpreter was being executed via FastCGI, a remote attacker could create a request which would cause the PHP interpreter to crash. (CVE-2008-3660)

A memory disclosure flaw was found in the PHP gd extension's imagerotate function. A remote attacker able to pass arbitrary values as the 'background color' argument of the function could, possibly, view portions of the PHP interpreter's memory. (CVE-2008-5498)

A cross-site scripting flaw was found in a way PHP reported errors for invalid cookies. If the PHP interpreter had 'display_errors' enabled, a remote attacker able to set a specially crafted cookie on a victim's system could possibly inject arbitrary HTML into an error message generated by PHP. (CVE-2008-5814)

All php users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. The httpd web server must be restarted for the changes to take effect.

Missing bounds checks of an error in the imageRotate function of the gd extension potentially allowed attackers to read portions of memory.
(CVE-2008-5498)

The mbstring.func_overload in .htaccess was applied to other virtual hosts on th same machine. (CVE-2009-0754)

php 5.1.9 fixes among other things some security issues :

  - Missing bounds checks of an error in the imageRotate     function of the gd extension potentially allowed     attackers to read portions of memory. (CVE-2008-5498)

  - the mbstring.func_overload in .htaccess was applied to     other virtual hosts on th same machine (CVE-2009-0754)

php 5.1.9 fixes among other things some security issues :

  - Missing bounds checks of an error in the imageRotate     function of the gd extension potentially allowed     attackers to read portions of memory (CVE-2008-5498).

  - the mbstring.func_overload in .htaccess was applied to     other virtual hosts on th same machine (CVE-2009-0754).

Update to PHP 5.2.9 A heap-based buffer overflow flaw was found in PHP's mbstring extension. A remote attacker able to pass arbitrary input to a PHP script using mbstring conversion functions could cause the PHP interpreter to crash or, possibly, execute arbitrary code.
(CVE-2008-5557) A directory traversal flaw was found in PHP's ZipArchive::extractTo function. If PHP is used to extract a malicious ZIP archive, it could allow an attacker to write arbitrary files anywhere the PHP process has write permissions. (CVE-2008-5658) A buffer overflow flaw was found in PHP's imageloadfont function. If a PHP script allowed a remote attacker to load a carefully crafted font file, it could cause the PHP interpreter to crash or, possibly, execute arbitrary code. (CVE-2008-3658) A memory disclosure flaw was found in the PHP gd extension's imagerotate function. A remote attacker able to pass arbitrary values as the 'background color' argument of the function could, possibly, view portions of the PHP interpreter's memory. (CVE-2008-5498) A cross-site scripting flaw was found in a way PHP reported errors for invalid cookies. If the PHP interpreter had 'display_errors' enabled, a remote attacker able to set a specially crafted cookie on a victim's system could possibly inject arbitrary HTML into an error message generated by PHP.
(CVE-2008-5814) A flaw was found in the handling of the 'mbstring.func_overload' configuration setting. A value set for one virtual host, or in a user's .htaccess file, was incorrectly applied to other virtual hosts on the same server, causing the handling of multibyte character strings to not work correctly. (CVE-2009-0754) A flaw was found in PHP's json_decode function. A remote attacker could use this flaw to create a specially crafted string which could cause the PHP interpreter to crash while being decoded in a PHP script.
(CVE-2009-1271) A flaw was found in the use of the uw-imap library by the PHP 'imap' extension. This could cause the PHP interpreter to crash if the 'imap' extension was used to read specially crafted mail messages with long headers. (CVE-2008-2829) http://www.php.net/releases/5_2_7.php http://www.php.net/releases/5_2_8.php http://www.php.net/releases/5_2_9.php http://www.php.net/ChangeLog-5.php#5.2.9

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several remote vulnerabilities have been discovered in the PHP 5 hypertext preprocessor. The Common Vulnerabilities and Exposures project identifies the following problems.

The following four vulnerabilities have already been fixed in the stable (lenny) version of php5 prior to the release of lenny. This update now addresses them for etch (oldstable) as well :

  - CVE-2008-2107 / CVE-2008-2108     The GENERATE_SEED macro has several problems that make     predicting generated random numbers easier, facilitating     attacks against measures that use rand() or mt_rand() as     part of a protection.

  - CVE-2008-5557     A buffer overflow in the mbstring extension allows     attackers to execute arbitrary code via a crafted string     containing an HTML entity.

  - CVE-2008-5624     The page_uid and page_gid variables are not correctly     set, allowing use of some functionality intended to be     restricted to root.

  - CVE-2008-5658     Directory traversal vulnerability in the     ZipArchive::extractTo function allows attackers to write     arbitrary files via a ZIP file with a file whose name     contains .. (dot dot) sequences.

This update also addresses the following three vulnerabilities for both oldstable (etch) and stable (lenny) :

  - CVE-2008-5814     Cross-site scripting (XSS) vulnerability, when     display_errors is enabled, allows remote attackers to     inject arbitrary web script or HTML.

  - CVE-2009-0754     When running on Apache, PHP allows local users to modify     behavior of other sites hosted on the same web server by     modifying the mbstring.func_overload setting within     .htaccess, which causes this setting to be applied to     other virtual hosts on the same server. 

  - CVE-2009-1271     The JSON_parser function allows a denial of service     (segmentation fault) via a malformed string to the     json_decode API function.

Furthermore, two updates originally scheduled for the next point update for oldstable are included in the etch package :

  - Let PHP use the system timezone database instead of the     embedded timezone database which is out of date.
  - From the source tarball, the unused 'dbase' module has     been removed which contained licensing problems.

PHP 4.4.4, 5.1.6, and other versions, when running on Apache, allows local users to modify behavior of other sites hosted on the same web server by modifying the mbstring.func_overload setting within .htaccess, which causes this setting to be applied to other virtual hosts on the same server (CVE-2009-0754).

The updated packages have been patched to correct these issues.

It was discovered that PHP did not sanitize certain error messages when display_errors is enabled, which could result in browsers becoming vulnerable to cross-site scripting attacks when processing the output. With cross-site scripting vulnerabilities, if a user were tricked into viewing server output during a crafted server request, a remote attacker could exploit this to modify the contents, or steal confidential data (such as passwords), within the same domain.
(CVE-2008-5814)

It was discovered that PHP did not properly handle the mbstring.func_overload setting within .htaccess files when using virtual hosts. A virtual host administrator could use this flaw to cause settings to be applied to other virtual hosts on the same server. (CVE-2009-0754)

It was discovered that PHP did not properly handle certain malformed strings when being parsed by the json_decode function. A remote attacker could exploit this flaw and cause the PHP server to crash, resulting in a denial of service. This issue only affected Ubuntu 8.04 and 8.10. (CVE-2009-1271).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Updated php packages that fix several security issues are now available for Red Hat Enterprise Linux 3 and 4.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server.

A heap-based buffer overflow flaw was found in PHP's mbstring extension. A remote attacker able to pass arbitrary input to a PHP script using mbstring conversion functions could cause the PHP interpreter to crash or, possibly, execute arbitrary code.
(CVE-2008-5557)

A flaw was found in the handling of the 'mbstring.func_overload' configuration setting. A value set for one virtual host, or in a user's .htaccess file, was incorrectly applied to other virtual hosts on the same server, causing the handling of multibyte character strings to not work correctly. (CVE-2009-0754)

A buffer overflow flaw was found in PHP's imageloadfont function. If a PHP script allowed a remote attacker to load a carefully crafted font file, it could cause the PHP interpreter to crash or, possibly, execute arbitrary code. (CVE-2008-3658)

A flaw was found in the way PHP handled certain file extensions when running in FastCGI mode. If the PHP interpreter was being executed via FastCGI, a remote attacker could create a request which would cause the PHP interpreter to crash. (CVE-2008-3660)

A memory disclosure flaw was found in the PHP gd extension's imagerotate function. A remote attacker able to pass arbitrary values as the 'background color' argument of the function could, possibly, view portions of the PHP interpreter's memory. (CVE-2008-5498)

All php users are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. The httpd web server must be restarted for the changes to take effect.

According to its banner, the version of PHP installed on the remote host is older than 4.4.9.  Such versions may be affected by several security issues :

  - There are unspecified issues in the bundled PCRE library     fixed by version 7.7.

  - A buffer overflow in the 'imageloadfont()' function in     'ext/gd/gd.c' can be triggered when a specially crafted     font is given. (CVE-2008-3658)

  - A buffer overflow exists in the internal 'memnstr()'     function, which is exposed to userspace as 'explode()'.
    (CVE-2008-3659)

  - A denial of service vulnerability exists when a     filename contains 2 dots. (CVE-2008-3660)

  - An 'open_basedir' handling issue in the curl extension.

  - 'mbstring.func_overload' set in '.htaccess' becomes     global. (CVE-2009-0754)

Note that the release announcement states this will be the last release for the PHP 4.4 series.

ID	Name	Product	Family	Severity
67818	Oracle Linux 5 : php (ELSA-2009-0338)	Nessus	Oracle Linux Local Security Checks	critical
67817	Oracle Linux 3 / 4 : php (ELSA-2009-0337)	Nessus	Oracle Linux Local Security Checks	critical
60561	Scientific Linux Security Update : php on SL3.x, SL4.x, SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	critical
44892	GLSA-201001-03 : PHP: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
43732	CentOS 5 : php (CESA-2009:0338)	Nessus	CentOS Local Security Checks	critical
41476	SuSE 10 Security Update : PHP5 (ZYPP Patch Number 6069)	Nessus	SuSE Local Security Checks	medium
41368	SuSE 11 Security Update : PHP5 (SAT Patch Number 666)	Nessus	SuSE Local Security Checks	medium
40187	openSUSE Security Update : apache2-mod_php5 (apache2-mod_php5-593)	Nessus	SuSE Local Security Checks	medium
39916	openSUSE Security Update : apache2-mod_php5 (apache2-mod_php5-593)	Nessus	SuSE Local Security Checks	medium
38957	Fedora 9 : maniadrive-1.2-13.fc9 / php-5.2.9-2.fc9 (2009-3848)	Nessus	Fedora Local Security Checks	critical
38956	Fedora 10 : maniadrive-1.2-13.fc10 / php-5.2.9-2.fc10 (2009-3768)	Nessus	Fedora Local Security Checks	critical
38691	Debian DSA-1789-1 : php5 - several vulnerabilities	Nessus	Debian Local Security Checks	critical
38117	Mandriva Linux Security Advisory : php (MDVSA-2009:066)	Nessus	Mandriva Local Security Checks	low
37849	Ubuntu 6.06 LTS / 8.04 LTS / 8.10 : php5 vulnerabilities (USN-761-1)	Nessus	Ubuntu Local Security Checks	medium
36098	RHEL 5 : php (RHSA-2009:0338)	Nessus	Red Hat Local Security Checks	critical
36097	RHEL 3 / 4 : php (RHSA-2009:0337)	Nessus	Red Hat Local Security Checks	critical
36089	CentOS 3 / 4 : php (CESA-2009:0337)	Nessus	CentOS Local Security Checks	critical
36079	openSUSE 10 Security Update : apache2-mod_php5 (apache2-mod_php5-6068)	Nessus	SuSE Local Security Checks	medium
33849	PHP < 4.4.9 Multiple Vulnerabilities	Nessus	CGI abuses	high

CVE-2009-0754

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Tenable Plugins