PHP: Multiple vulnerabilities

1.

Gentoo Linux Security Advisory

Version Information

Advisory Reference

GLSA 200710-02 / php

Release Date

October 07, 2007

Latest Revision

October 07, 2007: 01

Impact

high

Exploitable

remote

Package

Vulnerable versions

Unaffected versions

Architecture(s)

dev-lang/php

<

5.2.4_p20070914-r2

>=

5.2.4_p20070914-r2

All supported architectures

Related bugreports:

#179158, #180556, #191034

Synopsis

PHP contains several vulnerabilities including buffer and integer overflows

which could lead to the remote execution of arbitrary code.

2.

Impact Information

Background

PHP is a widely-used general-purpose scripting language that is

especially suited for Web development and can be embedded into HTML.

Description

Several vulnerabilities were found in PHP. Mattias Bengtsson and Philip

Olausson reported integer overflows in the gdImageCreate() and

gdImageCreateTrueColor() functions of the GD library which can cause

heap-based buffer overflows (CVE-2007-3996). Gerhard Wagner discovered

an integer overflow in the chunk_split() function that can lead to a

heap-based buffer overflow (CVE-2007-2872). Its incomplete fix caused

incorrect buffer size calculation due to precision loss, also resulting

in a possible heap-based buffer overflow (CVE-2007-4661 and

CVE-2007-4660). A buffer overflow in the sqlite_decode_binary() of the

SQLite extension found by Stefan Esser that was addressed in PHP 5.2.1

was not fixed correctly (CVE-2007-1887).

Stefan Esser discovered an error in the zend_alter_ini_entry() function

handling a memory_limit violation (CVE-2007-4659). Stefan Esser also

discovered a flaw when handling interruptions with userspace error

handlers that can be exploited to read arbitrary heap memory

(CVE-2007-1883). Disclosure of sensitive memory can also be triggered

due to insufficient boundary checks in the strspn() and strcspn()

functions, an issue discovered by Mattias Bengtsson and Philip Olausson

(CVE-2007-4657)

Stefan Esser reported incorrect validation in the FILTER_VALIDATE_EMAIL

filter of the Filter extension allowing arbitrary email header

injection (CVE-2007-1900). NOTE: This CVE was referenced, but not fixed

in GLSA 200705-19.

Stanislav Malyshev found an error with unknown impact in the

money_format() function when processing "%i" and "%n" tokens

(CVE-2007-4658). zatanzlatan reported a buffer overflow in the

php_openssl_make_REQ() function with unknown impact when providing a

manipulated SSL configuration file (CVE-2007-4662). Possible memory

corruption when trying to read EXIF data in exif_read_data() and

exif_thumbnail() occurred with unknown impact.

Several vulnerabilities that allow bypassing of open_basedir and other

restrictions were reported, including the glob() function

(CVE-2007-4663), the session_save_path(), ini_set(), and error_log()

functions which can allow local command execution (CVE-2007-3378),

involving the readfile() function (CVE-2007-3007), via the Session

extension (CVE-2007-4652), via the MySQL extension (CVE-2007-3997) and

in the dl() function which allows loading extensions outside of the

specified directory (CVE-2007-4825).

Multiple Denial of Service vulnerabilities were discovered, including a

long "library" parameter in the dl() function (CVE-2007-4887), in

several iconv and xmlrpc functions (CVE-2007-4840 and CVE-2007-4783),

in the setlocale() function (CVE-2007-4784), in the glob() and

fnmatch() function (CVE-2007-4782 and CVE-2007-3806), a floating point

exception in the wordwrap() function (CVE-2007-3998), a stack

exhaustion via deeply nested arrays (CVE-2007-4670), an infinite loop

caused by a specially crafted PNG image in the png_read_info() function

of libpng (CVE-2007-2756) and several issues related to array

conversion.

Impact

Remote attackers might be able to exploit these issues in PHP

applications making use of the affected functions, potentially

resulting in the execution of arbitrary code, Denial of Service,

execution of scripted contents in the context of the affected site,

security bypass or information leak.

3.

Resolution Information

Workaround

There is no known workaround at this time.

Resolution

All PHP users should upgrade to the latest version:

Code Listing3.1: Resolution

# emerge --sync




# emerge --ask --oneshot --verbose ">=dev-lang/php-5.2.4_p20070914-r2"

4.

References

CVE-2007-1883

CVE-2007-1887

CVE-2007-1900

CVE-2007-2756

CVE-2007-2872

CVE-2007-3007

CVE-2007-3378

CVE-2007-3806

CVE-2007-3996

CVE-2007-3997

CVE-2007-3998

CVE-2007-4652

CVE-2007-4657

CVE-2007-4658

CVE-2007-4659

CVE-2007-4660

CVE-2007-4661

CVE-2007-4662

CVE-2007-4663

CVE-2007-4670

CVE-2007-4727

CVE-2007-4782

CVE-2007-4783

CVE-2007-4784

CVE-2007-4825

CVE-2007-4840

CVE-2007-4887

GLSA 200705-19

Print

Page updated October 07, 2007

Summary:

This is a Gentoo Linux Security Advisory

Security Team

Contact Address

Donate to support our development efforts.