APPLE-SA-2012-02-01-1

20110819 PHP 5.3.6 ZipArchive invalid use glob(3)

8342

http://support.apple.com/kb/HT5130

http://svn.php.net/viewvc/?view=revision&revision=310814

http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/zip/php_zip.c?view=log

MDVSA-2011:165

[oss-security] 20110701 php ZipArchive::addGlob() crashes on invalid flags

[oss-security] 20110701 Re: php ZipArchive::addGlob() crashes on invalid flags

[oss-security] 20110701 Re: Re: php ZipArchive::addGlob() crashes on invalid flags

49252

https://bugs.php.net/bug.php?id=54681

php-ziparchiveaddglob-dos(69320)

Several vulnerabilities have been discovered in PHP, the web scripting language. The Common Vulnerabilities and Exposures project identifies the following issues :

  - CVE-2011-1072     It was discovered that insecure handling of temporary     files in the PEAR installer could lead to denial of     service.

  - CVE-2011-4153     Maksymilian Arciemowicz discovered that a NULL pointer     dereference in the zend_strndup() function could lead to     denial of service.

  - CVE-2012-0781     Maksymilian Arciemowicz discovered that a NULL pointer     dereference in the tidy_diagnose() function could lead     to denial of service.

  - CVE-2012-0788     It was discovered that missing checks in the handling of     PDORow objects could lead to denial of service.

  - CVE-2012-0831     It was discovered that the magic_quotes_gpc setting     could be disabled remotely.

This update also addresses PHP bugs, which are not treated as security issues in Debian (see README.Debian.security), but which were fixed nonetheless: CVE-2010-4697, CVE-2011-1092, CVE-2011-1148, CVE-2011-1464, CVE-2011-1467 CVE-2011-1468, CVE-2011-1469, CVE-2011-1470, CVE-2011-1657, CVE-2011-3182 CVE-2011-3267

The remote host is running a version of Mac OS X 10.7 that is older than version 10.7.3.  The newer version contains numerous security-related fixes for the following components :

  - Address Book
  - Apache
  - ATS
  - CFNetwork
 - CoreMedia
 - CoreText
 - CoreUI
 - curl
 - Data Security
 - dovecot
 - filecmds
 - ImageIO
 - Internet Sharing
 - Libinfo
 - libresolv
 - libsecurity
 - OpenGL
 - PHP
 - QuickTime
 - Subversion
 - Time Machine
 - WebDAV Sharing
 - Webmail
 - X11

The remote host is running a version of Mac OS X 10.6 that does not have Security Update 2012-001 applied. This update contains multiple security-related fixes for the following components :

  - Apache
  - ATS
  - ColorSync
  - CoreAudio
  - CoreMedia
  - CoreText
  - curl
  - Data Security
  - dovecot
  - filecmds
  - libresolv
  - libsecurity
  - OpenGL
  - PHP
  - QuickTime
  - SquirrelMail
  - Subversion
  - Tomcat
  - X11

The remote host is running a version of Mac OS X 10.7.x that is prior to 10.7.3. The newer version contains multiple security-related fixes for the following components :

  - Address Book
  - Apache
  - ATS
  - CFNetwork
  - CoreMedia
  - CoreText
  - CoreUI
  - curl
  - Data Security
  - dovecot
  - filecmds
  - ImageIO
  - Internet Sharing
  - Libinfo
  - libresolv
  - libsecurity
  - OpenGL
  - PHP
  - QuickTime
  - Subversion
  - Time Machine
  - WebDAV Sharing
  - Webmail
  - X11

Multiple vulnerabilities has been identified and fixed in php :

Use-after-free vulnerability in the substr_replace function in PHP 5.3.6 and earlier allows context-dependent attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact by using the same variable for multiple arguments (CVE-2011-1148).

The (1) ZipArchive::addGlob and (2) ZipArchive::addPattern functions in ext/zip/php_zip.c in PHP 5.3.6 allow context-dependent attackers to cause a denial of service (application crash) via certain flags arguments, as demonstrated by (a) GLOB_ALTDIRFUNC and (b) GLOB_APPEND (CVE-2011-1657).

Stack-based buffer overflow in the socket_connect function in ext/sockets/sockets.c in PHP 5.3.3 through 5.3.6 might allow context-dependent attackers to execute arbitrary code via a long pathname for a UNIX socket (CVE-2011-1938).

The rfc1867_post_handler function in main/rfc1867.c in PHP before 5.3.7 does not properly restrict filenames in multipart/form-data POST requests, which allows remote attackers to conduct absolute path traversal attacks, and possibly create or overwrite arbitrary files, via a crafted upload request, related to a file path injection vulnerability. (CVE-2011-2202).

crypt_blowfish before 1.1, as used in PHP before 5.3.7 on certain platforms, does not properly handle 8-bit characters, which makes it easier for context-dependent attackers to determine a cleartext password by leveraging knowledge of a password hash (CVE-2011-2483).

PHP before 5.3.7 does not properly check the return values of the malloc, calloc, and realloc library functions, which allows context-dependent attackers to cause a denial of service (NULL pointer dereference and application crash) or trigger a buffer overflow by leveraging the ability to provide an arbitrary value for a function argument, related to (1) ext/curl/interface.c, (2) ext/date/lib/parse_date.c, (3) ext/date/lib/parse_iso_intervals.c, (4) ext/date/lib/parse_tz.c, (5) ext/date/lib/timelib.c, (6) ext/pdo_odbc/pdo_odbc.c, (7) ext/reflection/php_reflection.c, (8) ext/soap/php_sdl.c, (9) ext/xmlrpc/libxmlrpc/base64.c, (10) TSRM/tsrm_win32.c, and (11) the strtotime function (CVE-2011-3182).

PHP before 5.3.7 does not properly implement the error_log function, which allows context-dependent attackers to cause a denial of service (application crash) via unspecified vectors (CVE-2011-3267).

Buffer overflow in the crypt function in PHP before 5.3.7 allows context-dependent attackers to have an unspecified impact via a long salt argument, a different vulnerability than CVE-2011-2483 (CVE-2011-3268).

The updated php packages have been upgraded to 5.3.8 which is not vulnerable to these issues.

Additionally some of the PECL extensions has been upgraded and/or rebuilt for the new php version.

Mateusz Kocielski, Marek Kroemeke and Filip Palian discovered that a stack-based buffer overflow existed in the socket_connect function's handling of long pathnames for AF_UNIX sockets. A remote attacker might be able to exploit this to execute arbitrary code; however, the default compiler options for affected releases should reduce the vulnerability to a denial of service. This issue affected Ubuntu 10.04 LTS, Ubuntu 10.10 and Ubuntu 11.04. (CVE-2011-1938)

Krzysztof Kotowicz discovered that the PHP post handler function does not properly restrict filenames in multipart/form-data POST requests.
This may allow remote attackers to conduct absolute path traversal attacks and possibly create or overwrite arbitrary files. This issue affected Ubuntu 8.04 LTS, Ubuntu 10.04 LTS, Ubuntu 10.10 and Ubuntu 11.04. (CVE-2011-2202)

It was discovered that the crypt function for blowfish does not properly handle 8-bit characters. This could make it easier for an attacker to discover a cleartext password containing an 8-bit character that has a matching blowfish crypt value. This issue affected Ubuntu 10.04 LTS, Ubuntu 10.10 and Ubuntu 11.04.
(CVE-2011-2483)

It was discovered that PHP did not properly check the return values of the malloc(3), calloc(3) and realloc(3) library functions in multiple locations. This could allow an attacker to cause a denial of service via a NULL pointer dereference or possibly execute arbitrary code.
This issue affected Ubuntu 8.04 LTS, Ubuntu 10.04 LTS, Ubuntu 10.10 and Ubuntu 11.04. (CVE-2011-3182)

Maksymilian Arciemowicz discovered that PHP did not properly implement the error_log function. This could allow an attacker to cause a denial of service via an application crash. This issue affected Ubuntu 10.04 LTS, Ubuntu 10.10, Ubuntu 11.04 and Ubuntu 11.10. (CVE-2011-3267)

Maksymilian Arciemowicz discovered that the ZipArchive functions addGlob() and addPattern() did not properly check their flag arguments. This could allow a malicious script author to cause a denial of service via application crash. This issue affected Ubuntu 10.04 LTS, Ubuntu 10.10, Ubuntu 11.04 and Ubuntu 11.10.
(CVE-2011-1657)

It was discovered that the Xend opcode parser in PHP could be interrupted while handling the shift-left, shift-right, and bitwise-xor opcodes. This could allow a malicious script author to expose memory contents. This issue affected Ubuntu 10.04 LTS.
(CVE-2010-1914)

It was discovered that the strrchr function in PHP could be interrupted by a malicious script, allowing the exposure of memory contents. This issue affected Ubuntu 8.04 LTS. (CVE-2010-2484).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201110-06 (PHP: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in PHP. Please review the       CVE identifiers referenced below for details.
  Impact :

    A context-dependent attacker could execute arbitrary code, obtain       sensitive information from process memory, bypass intended access       restrictions, or cause a Denial of Service in various ways.
    A remote attacker could cause a Denial of Service in various ways,       bypass spam detections, or bypass open_basedir restrictions.
  Workaround :

    There is no known workaround at this time.

Versions of PHP 5.3 earlier than 5.3.7 are potentially affected by multiple vulnerabilities : 

  - A stack buffer overflow exists in socket_connect(). (CVE-2011-1938)

  - A use-after-free vulnerability exists in substr_replace(). (CVE-2011-1148)

  - A code execution vulnerability exists in ZipArchive: : addGlob(). (CVE-2011-1657)

  - crypt_blowfish was updated to 1.2. (CVE-2011-2483)

  - Multiple null pointer dereferences exist.

  - An unspecified crash exists in error_log().

  - A buffer overflow vulnerability exists in crypt().

Versions of PHP 5.3 earlier than 5.3.7 are potentially affected by multiple vulnerabilities : 

  - A stack buffer overflow exists in socket_connect(). (CVE-2011-1938)

  - A use-after-free vulnerability exists in substr_replace(). (CVE-2011-1148)

  - A code execution vulnerability exists in ZipArchive: : addGlob(). (CVE-2011-1657)

  - crypt_blowfish was updated to 1.2. (CVE-2011-2483)

  - Multiple null pointer dereferences exist.

  - An unspecified crash exists in error_log().

  - A buffer overflow vulnerability exists in crypt().
 - A flaw exists in the php_win32_get_random_bytes() function when passing MCRYPT_DEV_URANDOM as source to mcrypt_create_iv(). A remote attacker can exploit this to cause a denial of service condition.

According to its banner, the version of PHP 5.3.x running on the remote host is prior to 5.3.7. It is, therefore, affected by the following vulnerabilities :

  - A use-after-free vulnerability in substr_replace().
   (CVE-2011-1148)

  - A stack-based buffer overflow in socket_connect().
   (CVE-2011-1938)

  - A code execution vulnerability in ZipArchive::addGlob().
    (CVE-2011-1657)

  - crypt_blowfish was updated to 1.2. (CVE-2011-2483)

  - Multiple NULL pointer dereferences. (CVE-2011-3182)

  - An unspecified crash in error_log(). (CVE-2011-3267)

  - A buffer overflow in crypt(). (CVE-2011-3268)

  - A flaw exists in the php_win32_get_random_bytes()     function when passing MCRYPT_DEV_URANDOM as source to     mcrypt_create_iv(). A remote attacker can exploit this     to cause a denial of service condition.

ID	Name	Product	Family	Severity
57925	Debian DSA-2408-1 : php5 - several vulnerabilities	Nessus	Debian Local Security Checks	high
6303	Mac OS X 10.7 < 10.7.3 Multiple Vulnerabilities	Nessus Network Monitor	Generic	critical
57798	Mac OS X Multiple Vulnerabilities (Security Update 2012-001) (BEAST)	Nessus	MacOS X Local Security Checks	critical
57797	Mac OS X 10.7.x < 10.7.3 Multiple Vulnerabilities (BEAST)	Nessus	MacOS X Local Security Checks	critical
56707	Mandriva Linux Security Advisory : php (MDVSA-2011:165)	Nessus	Mandriva Local Security Checks	critical
56554	Ubuntu 8.04 LTS / 10.04 LTS / 10.10 / 11.04 / 11.10 : php5 vulnerabilities (USN-1231-1)	Nessus	Ubuntu Local Security Checks	high
56459	GLSA-201110-06 : PHP: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
801087	PHP 5.3 < 5.3.7 Multiple Vulnerabilities	Log Correlation Engine	Web Servers	high
6015	PHP 5.3.x < 5.3.7 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	high
55925	PHP 5.3 < 5.3.7 Multiple Vulnerabilities	Nessus	CGI abuses	critical

CVE-2011-1657

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Tenable Plugins