LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Security Week: September 15th, 2014
Linux Security Week: September 8th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Gentoo: PHP Multiple vulnerabilities Print E-mail
User Rating:      How can I rate this item?
Posted by Benjamin D. Thomas   
Gentoo PHP contains several vulnerabilities including buffer and integer overflows which could lead to the remote execution of arbitrary code.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200811-05
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: PHP: Multiple vulnerabilities
      Date: November 16, 2008
      Bugs: #209148, #212211, #215266, #228369, #230575, #234102
        ID: 200811-05

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
=3D=3D=3D=3D=3D=3D=3D=3D

PHP contains several vulnerabilities including buffer and integer
overflows which could lead to the remote execution of arbitrary code.

Background
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

PHP is a widely-used general-purpose scripting language that is
especially suited for Web development and can be embedded into HTML.

Affected packages
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

    -------------------------------------------------------------------
     Package       /  Vulnerable  /                         Unaffected
    -------------------------------------------------------------------
  1  dev-lang/php     < 5.2.6-r6                           >=3D 5.2.6-r6

Description
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Several vulnerabilitites were found in PHP:

* PHP ships a vulnerable version of the PCRE library which allows for
  the circumvention of security restrictions or even for remote code
  execution in case of an application which accepts user-supplied
  regular expressions (CVE-2008-0674).

* Multiple crash issues in several PHP functions have been
  discovered.

* Ryan Permeh reported that the init_request_info() function in
  sapi/cgi/cgi_main.c does not properly consider operator precedence
  when calculating the length of PATH_TRANSLATED (CVE-2008-0599).

* An off-by-one error in the metaphone() function may lead to memory
  corruption.

* Maksymilian Arciemowicz of SecurityReason Research reported an
  integer overflow, which is triggerable using printf() and related
  functions (CVE-2008-1384).

* Andrei Nigmatulin reported a stack-based buffer overflow in the
  FastCGI SAPI, which has unknown attack vectors (CVE-2008-2050).

* Stefan Esser reported that PHP does not correctly handle multibyte
  characters inside the escapeshellcmd() function, which is used to
  sanitize user input before its usage in shell commands
  (CVE-2008-2051).

* Stefan Esser reported that a short-coming in PHP's algorithm of
  seeding the random number generator might allow for predictible
  random numbers (CVE-2008-2107, CVE-2008-2108).

* The IMAP extension in PHP uses obsolete c-client API calls making
  it vulnerable to buffer overflows as no bounds checking can be done
  (CVE-2008-2829).

* Tavis Ormandy reported a heap-based buffer overflow in
  pcre_compile.c in the PCRE version shipped by PHP when processing
  user-supplied regular expressions (CVE-2008-2371).

* CzechSec reported that specially crafted font files can lead to an
  overflow in the imageloadfont() function in ext/gd/gd.c, which is
  part of the GD extension (CVE-2008-3658).

* Maksymilian Arciemowicz of SecurityReason Research reported that a
  design error in PHP's stream wrappers allows to circumvent safe_mode
  checks in several filesystem-related PHP functions (CVE-2008-2665,
  CVE-2008-2666).

* Laurent Gaffie discovered a buffer overflow in the internal
  memnstr() function, which is used by the PHP function explode()
  (CVE-2008-3659).

* An error in the FastCGI SAPI when processing a request with
  multiple dots preceding the extension (CVE-2008-3660).

Impact
=3D=3D=3D=3D=3D=3D

These vulnerabilities might allow a remote attacker to execute
arbitrary code, to cause a Denial of Service, to circumvent security
restrictions, to disclose information, and to manipulate files.

Workaround
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

There is no known workaround at this time.

Resolution
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

All PHP users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=3Ddev-lang/php-5.2.6-r6"

References
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

  [ 1 ] CVE-2008-0599
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2008-0599
  [ 2 ] CVE-2008-0674
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2008-0674
  [ 3 ] CVE-2008-1384
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2008-1384
  [ 4 ] CVE-2008-2050
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2008-2050
  [ 5 ] CVE-2008-2051
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2008-2051
  [ 6 ] CVE-2008-2107
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2008-2107
  [ 7 ] CVE-2008-2108
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2008-2108
  [ 8 ] CVE-2008-2371
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2008-2371
  [ 9 ] CVE-2008-2665
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2008-2665
  [ 10 ] CVE-2008-2666
         http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2008-2666
  [ 11 ] CVE-2008-2829
         http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2008-2829
  [ 12 ] CVE-2008-3658
         http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2008-3658
  [ 13 ] CVE-2008-3659
         http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2008-3659
  [ 14 ] CVE-2008-3660
         http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2008-3660

Availability
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200811-05.xml

Concerns?
=3D=3D=3D=3D=3D=3D=3D=3D=3D

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=3D=3D=3D=3D=3D=3D=3D

Copyright 2008 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5
 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Weekend Edition
Apache Warns of Tomcat Remote Code Execution Vulnerability
Cloud security: We're asking the wrong questions
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.