Bug 125878

Summary:	dev-lang/php: ext/session HTTP Response Splitting and XSS through errors
Product:	Gentoo Security	Reporter:	Andy Kraut <akraut>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	php-bugs
Priority:	High
Version:	unspecified
Hardware:	All
OS:	All
URL:	http://www.php.net/release_5_1_2.php
Whiteboard:	A4 [glsa]
Package list:		Runtime testing required:	---

Description Andy Kraut 2006-03-11 14:49:29 UTC

Multiple HTTP response splitting vulnerabilities in PHP 5.1.1 allow remote attackers to inject arbitrary HTTP headers via a crafted Set-Cookie header, related to the (1) session extension (aka ext/session) and the (2) header function.  PHP 5.1.2 fixes this vulnerability.
--akraut

CVE-2006-0207

Comment 1 Luca Longinotti (RETIRED) gentoo-dev

2006-03-11 17:27:10 UTC

The same issue can be found in dev-lang/php-4.4.1-r3, PHP 4.4.2 fixes this (see http://www.php.net/release_4_4_2.php for details), the other "big issues" mentioned in the release announcement were already fixed by 4.4.1-r3, the security issues will be fixed by adding dev-lang/php-4.4.2 to the tree today/tomorrow (depends on your timezone :P), will update the bug once it's done.
Best regards, CHTEKK.

Comment 2 Thierry Carrez (RETIRED) gentoo-dev

2006-03-12 03:35:38 UTC

Grouping bugs as the same release(s) also fix :

Multiple cross-site scripting (XSS) vulnerabilities in PHP 5.1.1, when
display_errors and html_errors are on, allow remote attackers to inject
arbitrary web script or HTML via inputs to PHP applications that are not
filtered when they are included in the resulting error message.
Note: Gentoo's default config file for PHP has display_errors=on and
html_errors=off making a default-configured system not vulnerable.

CVE-2006-0208
Affected versions are 5.x < 5.1.2 and 4.x < 4.2.2

Comment 3 Thierry Carrez (RETIRED) gentoo-dev

2006-03-12 03:36:18 UTC

*** Bug 125880 has been marked as a duplicate of this bug. ***

Comment 4 Luca Longinotti (RETIRED) gentoo-dev

2006-03-12 05:30:42 UTC

dev-lang/php-4.4.2 and dev-lang/php-5.1.2 were just added to CVS, both are ready for arches to stable them, enjoy! ;)
Best regards, CHTEKK.

Comment 5 Stefan Cornelius (RETIRED) gentoo-dev

2006-03-12 06:46:55 UTC

arches, please test and stable - thank you!

Comment 6 Simon Stelling (RETIRED) gentoo-dev

2006-03-12 09:02:20 UTC

amd64 both stable

Comment 7 Fernando J. Pereda (RETIRED) gentoo-dev

2006-03-12 09:07:50 UTC

Both alpha'lized.

Comment 8 Jason Wever (RETIRED) gentoo-dev

2006-03-12 10:20:39 UTC

SPARC'd

Comment 9 Tobias Scherbaum (RETIRED) gentoo-dev

2006-03-12 12:47:45 UTC

ppc stable

Comment 10 Markus Rothe (RETIRED) gentoo-dev

2006-03-12 13:38:20 UTC

both stable on ppc64

Comment 11 René Nussbaumer (RETIRED) gentoo-dev

2006-03-13 13:15:37 UTC

Stable on hppa

Comment 12 Joshua Jackson (RETIRED) gentoo-dev

2006-03-13 22:06:30 UTC

x86 done \(^.^)/

Comment 13 Stefan Cornelius (RETIRED) gentoo-dev

2006-03-14 06:20:18 UTC

ready for glsa vote, i tend to say yes

Comment 14 Thierry Carrez (RETIRED) gentoo-dev

2006-03-14 13:27:55 UTC

Yes here too.

Comment 15 Thierry Carrez (RETIRED) gentoo-dev

2006-03-14 13:28:40 UTC

Ready for GLSA

Comment 16 Matthias Geerdsen (RETIRED) gentoo-dev

2006-03-22 14:22:43 UTC

the GLSA will contain the following:

Unaffected packages:	dev-lang/php >= 5.1.2 on all architectures

Vulnerable packages:	
dev-lang/php < 4.4.2 on all architectures
dev-lang/php *>= 5.1.1 on all architectures
dev-lang/php *>= 5.0.5 on all architectures
dev-lang/php *>= 5.0.4 on all architectures

This is to ensure that future versions of php 4 will not be listed as affected. A side effect is, that new revisions of 5.1.1, 5.0.5, 5.0.4 will appear affected in case they will ever exist, which appears unlikely

Comment 17 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-03-22 15:10:54 UTC

GLSA 200603-22

arm, ia64, s390 don't forget to mark stable to benifit from the GLSA.