Users login

Create an account »

JOIN XATRIX

Users login

Home » Security Advisories» Mandrake » PHP multiple vulnerabilities

PHP multiple vulnerabilities

A number of vulnerabilities are addressed in this PHP update. Integer overflows, denial of service and path restriction bugs.

  • Vendor: Mandrake
  • Vendor ID: MDKSA-2005:072
  • Date: April 18, 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Update Advisory
_______________________________________________________________________

Package name: php
Advisory ID: MDKSA-2005:072
Date: April 18th, 2005

Affected versions: 10.0, 10.1, 10.2, Corporate 3.0,
Corporate Server 2.1
______________________________________________________________________

Problem Description:

A number of vulnerabilities are addressed in this PHP update:

Stefano Di Paolo discovered integer overflows in PHP's pack(),
unpack(), and shmop_write() functions which could allow a malicious
script to break out of safe mode and execute arbitray code with
privileges of the PHP interpreter (CAN-2004-1018; this was previously
fixed in Mandrakelinux >= 10.0 in MDKSA-2004:151).

Stefan Esser discovered two safe mode bypasses which would allow
malicious scripts to circumvent path restrictions by using
virtual_popen() with a current directory containing shell meta-
characters (CAN-2004-1063) or by creating a specially crafted
directory whose length exceeded the capacity of realpath()
(CAN-2004-1064; both of these were previously fixed in Mandrakelinux
>= 10.0 in MDKSA-2004:151).

Two Denial of Service vulnerabilities were found in the getimagesize()
function which uses the format-specific internal functions
php_handle_iff() and php_handle_jpeg() which would get stuck in
infinite loops when certain (invalid) size parameters are read from
the image (CAN-2005-0524 and CAN-2005-0525).

An integer overflow was discovered in the exif_process_IFD_TAG()
function in PHP's EXIF module. EXIF tags with a specially crafted
"Image File Directory" (IFD) tag would cause a buffer overflow which
could be exploited to execute arbitrary code with the privileges of
the PHP server (CAN-2005-1042).

Another vulnerability in the EXIF module was also discovered where
headers with a large IFD nesting level would cause an unbound
recursion which would eventually overflow the stack and cause the
executed program to crash (CAN-2004-1043).

All of these issues are addressed in the Corporate Server 2.1 packages
and the last three issues for all other platforms, which had
previously included the first two issues but had not been mentioned
in MDKSA-2004:151.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0524
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0525
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1042
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1043
______________________________________________________________________

Updated Packages:

Mandrakelinux 10.0:
f7d974aa23e07a33ffc28d24d57ae6d1 10.0/RPMS/libphp_common432-4.3.4-4.5.100mdk.i586.rpm
345a78284dee2a035f627e348e73923b 10.0/RPMS/php-cgi-4.3.4-4.5.100mdk.i586.rpm
14a9a57cb05438a2b95ac47fa68755be 10.0/RPMS/php-cli-4.3.4-4.5.100mdk.i586.rpm
1d43beb4125253db8a9bdaaffec6abce 10.0/RPMS/php432-devel-4.3.4-4.5.100mdk.i586.rpm
44a1aa8be7f1f56120568028d3cce0a0 10.0/SRPMS/php-4.3.4-4.5.100mdk.src.rpm

Mandrakelinux 10.0/AMD64:
9651a95c09fef8db80f8d0455f1d4aae amd64/10.0/RPMS/lib64php_common432-4.3.4-4.5.100mdk.amd64.rpm
d883ef32f7f60531cf2be850d5e9dcba amd64/10.0/RPMS/php-cgi-4.3.4-4.5.100mdk.amd64.rpm
21f487c746312c589115e12b9ed0d13e amd64/10.0/RPMS/php-cli-4.3.4-4.5.100mdk.amd64.rpm
0a9e996779cc13cfa458c39aa6bf6472 amd64/10.0/RPMS/php432-devel-4.3.4-4.5.100mdk.amd64.rpm
44a1aa8be7f1f56120568028d3cce0a0 amd64/10.0/SRPMS/php-4.3.4-4.5.100mdk.src.rpm

Mandrakelinux 10.1:
f75cb008b1eafcce1167f487fd0742ef 10.1/RPMS/libphp_common432-4.3.8-3.3.101mdk.i586.rpm
6522017c3e097f22a37f293d765f4141 10.1/RPMS/php-cgi-4.3.8-3.3.101mdk.i586.rpm
4ba9ade6db11e4035f73ede36e361ad7 10.1/RPMS/php-cli-4.3.8-3.3.101mdk.i586.rpm
63d4d58bbc3a01b89c688660be399af0 10.1/RPMS/php432-devel-4.3.8-3.3.101mdk.i586.rpm
f4fe82b93cf84987b0787e297d5189de 10.1/SRPMS/php-4.3.8-3.3.101mdk.src.rpm

Mandrakelinux 10.1/X86_64:
fb08286032f45020ecd96e07b0da51af x86_64/10.1/RPMS/lib64php_common432-4.3.8-3.3.101mdk.x86_64.rpm
e1ae8214e11a7e62e987cde10e53c609 x86_64/10.1/RPMS/php-cgi-4.3.8-3.3.101mdk.x86_64.rpm
44c080a9d90e282da95b5d809e90df52 x86_64/10.1/RPMS/php-cli-4.3.8-3.3.101mdk.x86_64.rpm
d23e51652be1cb62f4704a5c4fe4a7a9 x86_64/10.1/RPMS/php432-devel-4.3.8-3.3.101mdk.x86_64.rpm
f4fe82b93cf84987b0787e297d5189de x86_64/10.1/SRPMS/php-4.3.8-3.3.101mdk.src.rpm

Mandrakelinux 10.2:
cc1f7f17fdcaf8dc87efcad94a241eca 10.2/RPMS/libphp_common432-4.3.10-7.1.102mdk.i586.rpm
3655f4254ca1ee329462e1f744533ed2 10.2/RPMS/php-cgi-4.3.10-7.1.102mdk.i586.rpm
a6084914e21c0a5873d5b94bb914411f 10.2/RPMS/php-cli-4.3.10-7.1.102mdk.i586.rpm
41a0168e7a2fdb581b59e5550c02418f 10.2/RPMS/php432-devel-4.3.10-7.1.102mdk.i586.rpm
2e3bf475cc0a73a2402d487e1bcaa741 10.2/SRPMS/php-4.3.10-7.1.102mdk.src.rpm

Mandrakelinux 10.2/X86_64:
17130ea081a475bebce9ef1f4ea89c22 x86_64/10.2/RPMS/lib64php_common432-4.3.10-7.1.102mdk.x86_64.rpm
5b9712e9d2b3709243080eefe5f36037 x86_64/10.2/RPMS/php-cgi-4.3.10-7.1.102mdk.x86_64.rpm
6e77ec1f4a00e757e9144c798f86b465 x86_64/10.2/RPMS/php-cli-4.3.10-7.1.102mdk.x86_64.rpm
f55fc2c228f012266c55e830cc858698 x86_64/10.2/RPMS/php432-devel-4.3.10-7.1.102mdk.x86_64.rpm
2e3bf475cc0a73a2402d487e1bcaa741 x86_64/10.2/SRPMS/php-4.3.10-7.1.102mdk.src.rpm

Corporate Server 2.1:
f418349daa18087f1b2bd2d06d07a7d7 corporate/2.1/RPMS/php-4.2.3-4.4.C21mdk.i586.rpm
f55f290333af492f34104d1821ece93d corporate/2.1/RPMS/php-common-4.2.3-4.4.C21mdk.i586.rpm
ff25be7d53aa1f8efa1ac7ea06935c60 corporate/2.1/RPMS/php-devel-4.2.3-4.4.C21mdk.i586.rpm
38a6771932090c0b49a495caa244047f corporate/2.1/RPMS/php-pear-4.2.3-4.4.C21mdk.i586.rpm
57a79e60657b372524d7b8af3535cfe6 corporate/2.1/SRPMS/php-4.2.3-4.4.C21mdk.src.rpm

Corporate Server 2.1/X86_64:
0459cb20800a58b6ee41fc6ac2dc55b2 x86_64/corporate/2.1/RPMS/php-4.2.3-4.4.C21mdk.x86_64.rpm
462186f5005cafbfe66dd99cb9110e30 x86_64/corporate/2.1/RPMS/php-common-4.2.3-4.4.C21mdk.x86_64.rpm
5f6c49093da250595d27917455fff5bd x86_64/corporate/2.1/RPMS/php-devel-4.2.3-4.4.C21mdk.x86_64.rpm
5fb114b6761fcd231cbbbfde6e41252d x86_64/corporate/2.1/RPMS/php-pear-4.2.3-4.4.C21mdk.x86_64.rpm
57a79e60657b372524d7b8af3535cfe6 x86_64/corporate/2.1/SRPMS/php-4.2.3-4.4.C21mdk.src.rpm

Corporate 3.0:
eab4aa42fbd404630d0eb350ea17efd1 corporate/3.0/RPMS/libphp_common432-4.3.4-4.5.C30mdk.i586.rpm
3138545d861d0c28acc81f77424e95c5 corporate/3.0/RPMS/php-cgi-4.3.4-4.5.C30mdk.i586.rpm
b26d65545512c6698cfb5d3280961677 corporate/3.0/RPMS/php-cli-4.3.4-4.5.C30mdk.i586.rpm
6bfa6303f2f8a52c963f9df4bf59c639 corporate/3.0/RPMS/php432-devel-4.3.4-4.5.C30mdk.i586.rpm
9f017d501ff162d276b0e2832468a5c8 corporate/3.0/SRPMS/php-4.3.4-4.5.C30mdk.src.rpm

Corporate 3.0/X86_64:
eab4aa42fbd404630d0eb350ea17efd1 x86_64/corporate/3.0/RPMS/libphp_common432-4.3.4-4.5.C30mdk.i586.rpm
3138545d861d0c28acc81f77424e95c5 x86_64/corporate/3.0/RPMS/php-cgi-4.3.4-4.5.C30mdk.i586.rpm
b26d65545512c6698cfb5d3280961677 x86_64/corporate/3.0/RPMS/php-cli-4.3.4-4.5.C30mdk.i586.rpm
6bfa6303f2f8a52c963f9df4bf59c639 x86_64/corporate/3.0/RPMS/php432-devel-4.3.4-4.5.C30mdk.i586.rpm
9f017d501ff162d276b0e2832468a5c8 x86_64/corporate/3.0/SRPMS/php-4.3.4-4.5.C30mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCZGd6mqjQ0CJFipgRArzeAKCwF9l5b7X4e2V1lwVKBEmKxzhb2gCdGPe6
tLdpH8LT8qnWvHfu0Yo4XIA=
=eOcy
-----END PGP SIGNATURE-----

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »