Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 125878 - dev-lang/php: ext/session HTTP Response Splitting and XSS through errors
Summary: dev-lang/php: ext/session HTTP Response Splitting and XSS through errors
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High minor (vote)
Assignee: Gentoo Security
URL: http://www.php.net/release_5_1_2.php
Whiteboard: A4 [glsa]
Keywords:
: 125880 (view as bug list)
Depends on:
Blocks:
 
Reported: 2006-03-11 14:49 UTC by Andy Kraut
Modified: 2006-11-11 19:59 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andy Kraut 2006-03-11 14:49:29 UTC
Multiple HTTP response splitting vulnerabilities in PHP 5.1.1 allow remote attackers to inject arbitrary HTTP headers via a crafted Set-Cookie header, related to the (1) session extension (aka ext/session) and the (2) header function.  PHP 5.1.2 fixes this vulnerability.
--akraut

CVE-2006-0207
Comment 1 Luca Longinotti (RETIRED) gentoo-dev 2006-03-11 17:27:10 UTC
The same issue can be found in dev-lang/php-4.4.1-r3, PHP 4.4.2 fixes this (see http://www.php.net/release_4_4_2.php for details), the other "big issues" mentioned in the release announcement were already fixed by 4.4.1-r3, the security issues will be fixed by adding dev-lang/php-4.4.2 to the tree today/tomorrow (depends on your timezone :P), will update the bug once it's done.
Best regards, CHTEKK.
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2006-03-12 03:35:38 UTC
Grouping bugs as the same release(s) also fix :

Multiple cross-site scripting (XSS) vulnerabilities in PHP 5.1.1, when
display_errors and html_errors are on, allow remote attackers to inject
arbitrary web script or HTML via inputs to PHP applications that are not
filtered when they are included in the resulting error message.
Note: Gentoo's default config file for PHP has display_errors=on and
html_errors=off making a default-configured system not vulnerable.

CVE-2006-0208
Affected versions are 5.x < 5.1.2 and 4.x < 4.2.2
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2006-03-12 03:36:18 UTC
*** Bug 125880 has been marked as a duplicate of this bug. ***
Comment 4 Luca Longinotti (RETIRED) gentoo-dev 2006-03-12 05:30:42 UTC
dev-lang/php-4.4.2 and dev-lang/php-5.1.2 were just added to CVS, both are ready for arches to stable them, enjoy! ;)
Best regards, CHTEKK.
Comment 5 Stefan Cornelius (RETIRED) gentoo-dev 2006-03-12 06:46:55 UTC
arches, please test and stable - thank you!
Comment 6 Simon Stelling (RETIRED) gentoo-dev 2006-03-12 09:02:20 UTC
amd64 both stable
Comment 7 Fernando J. Pereda (RETIRED) gentoo-dev 2006-03-12 09:07:50 UTC
Both alpha'lized.
Comment 8 Jason Wever (RETIRED) gentoo-dev 2006-03-12 10:20:39 UTC
SPARC'd
Comment 9 Tobias Scherbaum (RETIRED) gentoo-dev 2006-03-12 12:47:45 UTC
ppc stable
Comment 10 Markus Rothe (RETIRED) gentoo-dev 2006-03-12 13:38:20 UTC
both stable on ppc64
Comment 11 René Nussbaumer (RETIRED) gentoo-dev 2006-03-13 13:15:37 UTC
Stable on hppa
Comment 12 Joshua Jackson (RETIRED) gentoo-dev 2006-03-13 22:06:30 UTC
x86 done \(^.^)/
Comment 13 Stefan Cornelius (RETIRED) gentoo-dev 2006-03-14 06:20:18 UTC
ready for glsa vote, i tend to say yes
Comment 14 Thierry Carrez (RETIRED) gentoo-dev 2006-03-14 13:27:55 UTC
Yes here too.
Comment 15 Thierry Carrez (RETIRED) gentoo-dev 2006-03-14 13:28:40 UTC
Ready for GLSA
Comment 16 Matthias Geerdsen (RETIRED) gentoo-dev 2006-03-22 14:22:43 UTC
the GLSA will contain the following:

Unaffected packages:	dev-lang/php >= 5.1.2 on all architectures

Vulnerable packages:	
dev-lang/php < 4.4.2 on all architectures
dev-lang/php *>= 5.1.1 on all architectures
dev-lang/php *>= 5.0.5 on all architectures
dev-lang/php *>= 5.0.4 on all architectures

This is to ensure that future versions of php 4 will not be listed as affected. A side effect is, that new revisions of 5.1.1, 5.0.5, 5.0.4 will appear affected in case they will ever exist, which appears unlikely
Comment 17 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-03-22 15:10:54 UTC
GLSA 200603-22

arm, ia64, s390 don't forget to mark stable to benifit from the GLSA.