PHP: Multiple vulnerabilities
Security Team
Contact Address
Updated November 16, 20081.
Gentoo Linux Security Advisory
Version Information
| Advisory Reference |
GLSA 200811-05 / php |
| Release Date |
November 16, 2008 |
| Latest Revision |
November 16, 2008: 01 |
| Impact |
normal |
| Exploitable |
remote |
| Package |
Vulnerable versions |
Unaffected versions |
Architecture(s) |
| dev-lang/php |
<
5.2.6-r6 |
>=
5.2.6-r6 |
All supported architectures
|
Related bugreports:
#209148, #212211, #215266, #228369, #230575, #234102
Synopsis
PHP contains several vulnerabilities including buffer and integer overflows
which could lead to the remote execution of arbitrary code.
2.
Impact Information
Background
PHP is a widely-used general-purpose scripting language that is
especially suited for Web development and can be embedded into HTML.
Description
Several vulnerabilitites were found in PHP:
- PHP ships a
vulnerable version of the PCRE library which allows for the
circumvention of security restrictions or even for remote code
execution in case of an application which accepts user-supplied regular
expressions (CVE-2008-0674).
- Multiple crash issues in several
PHP functions have been discovered.
- Ryan Permeh reported that
the init_request_info() function in sapi/cgi/cgi_main.c does not
properly consider operator precedence when calculating the length of
PATH_TRANSLATED (CVE-2008-0599).
- An off-by-one error in the
metaphone() function may lead to memory corruption.
- Maksymilian Arciemowicz of SecurityReason Research reported an
integer overflow, which is triggerable using printf() and related
functions (CVE-2008-1384).
- Andrei Nigmatulin reported a
stack-based buffer overflow in the FastCGI SAPI, which has unknown
attack vectors (CVE-2008-2050).
- Stefan Esser reported that PHP
does not correctly handle multibyte characters inside the
escapeshellcmd() function, which is used to sanitize user input before
its usage in shell commands (CVE-2008-2051).
- Stefan Esser
reported that a short-coming in PHP's algorithm of seeding the random
number generator might allow for predictible random numbers
(CVE-2008-2107, CVE-2008-2108).
- The IMAP extension in PHP uses
obsolete c-client API calls making it vulnerable to buffer overflows as
no bounds checking can be done (CVE-2008-2829).
- Tavis Ormandy
reported a heap-based buffer overflow in pcre_compile.c in the PCRE
version shipped by PHP when processing user-supplied regular
expressions (CVE-2008-2371).
- CzechSec reported that specially
crafted font files can lead to an overflow in the imageloadfont()
function in ext/gd/gd.c, which is part of the GD extension
(CVE-2008-3658).
- Maksymilian Arciemowicz of SecurityReason
Research reported that a design error in PHP's stream wrappers allows
to circumvent safe_mode checks in several filesystem-related PHP
functions (CVE-2008-2665, CVE-2008-2666).
- Laurent Gaffie
discovered a buffer overflow in the internal memnstr() function, which
is used by the PHP function explode() (CVE-2008-3659).
- An
error in the FastCGI SAPI when processing a request with multiple dots
preceding the extension (CVE-2008-3660).
Impact
These vulnerabilities might allow a remote attacker to execute
arbitrary code, to cause a Denial of Service, to circumvent security
restrictions, to disclose information, and to manipulate files.
3.
Resolution Information
Workaround
There is no known workaround at this time.
Resolution
All PHP users should upgrade to the latest version:
Code Listing 3.1: Resolution |
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-lang/php-5.2.6-r6"
|
4.
References