Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 228369
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Hanno Boeck <hanno@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 228369 depends on: 234102 Show dependency tree
Bug 228369 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2008-06-19 15:15 0000 
http://securityreason.com/achievement_securityalert/55
http://securityreason.com/achievement_securityalert/54

------- Comment #1 From Christian Hoffmann 2008-06-19 16:48:30 0000 ------- 
Hijacking this bug for all the other security-related bug fixes.

-r2 will hit the tree in the near future (maybe it'll take a few days),
containing these fixes:

#1 safe_mode bypass by prepending http:// to paths (see initial description
   of this bug + securityreason advisories)

#2 Bug 221969 (insecure c-client api calls allow for buffer overflows)
   This IMO allows for local code execution (as such bypassing safe_mode etc.)
   and maybe eben remote code execution when processing specially-crafted
mails.

#3 Crash in stream_context_set_params()
   http://bugs.php.net/44712

#4 Crash in class PDORow
   Commit msg: "Add check for avoid segfault when trying instantiate
                PDORow manually"

#5 Crash (double free) in Dom->setAttributeNode
   http://bugs.php.net/45251
   Commit msg: "fixed bug #45251 (double free or corruption with
                setAttributeNode())"

#6 Crash in array functions under certain circumstances
   http://bugs.php.net/45312
   Commit msg: "Fixed bug #45312 (Segmentation fault on second request for
                array functions)"

Only #2 looks a bit more serious to me, the others are just crashes or
safe_mode bypasses.

There is no fix for issue #1, I'll bug upstream...

------- Comment #2 From Christian Hoffmann 2008-06-21 09:58:41 0000 ------- 
JFYI, issue #1 does not seem to be reproducible when enabling safe_mode via CLI
(i.e. php -d safe_mode=on). It seems to work as expected in this case. If you
want to reproduce it, use real files. :)

------- Comment #3 From Christian Hoffmann 2008-07-02 21:54:06 0000 ------- 
Ignore comment #1, we'll handle the other issues in bug 230575.
Initial issue still unfixed, I've got a patch which needs some testing and an
OK from upstream.

------- Comment #4 From Christian Hoffmann 2008-07-21 19:42:59 0000 ------- 
I proposed two patches and have further discussed this issue with Felipe Pena
from upstream. My fix got committed [1], so I'm going to include it in our next
patchset revision.
I'll wait some days to see if this causes some unwanted false positive
safe_mode warnings though.

[1] http://news.php.net/php.cvs/51348

------- Comment #5 From Christian Hoffmann 2008-10-13 20:20:02 0000 ------- 
Updating whiteboard.

------- Comment #6 From Tobias Heinlein 2008-11-16 16:14:57 0000 ------- 
GLSA 200811-05, thanks everyone, especially hoffie.
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug