Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 414553 (CVE-2012-1823) - <dev-lang/php-5.3.13: Remote code execution vulnerability (CVE-2011-1398,CVE-2012-{1823,2311,2335,2336})
Summary: <dev-lang/php-5.3.13: Remote code execution vulnerability (CVE-2011-1398,CVE-...
Status: RESOLVED FIXED
Alias: CVE-2012-1823
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal critical (vote)
Assignee: Gentoo Security
URL: https://bugs.php.net/bug.php?id=61910
Whiteboard: A1 [glsa]
Keywords:
Depends on:
Blocks: CVE-2012-1172
  Show dependency tree
 
Reported: 2012-05-04 04:04 UTC by Tim Sammut (RETIRED)
Modified: 2012-09-24 00:27 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2012-05-04 04:04:30 UTC
From the upstream bug at $URL:

OVERVIEW
PHP-CGI-based setups contain a vulnerability when parsing query
string parameters from php files.

DESCRIPTION
According to PHP's website, "PHP is a widely-used general-purpose
scripting language that is especially suited for Web development and
can be embedded into HTML." When PHP is used in a CGI-based setup
(such as Apache's mod_cgid), the php-cgi receives a processed query
string parameter as command line arguments which allows command-line
switches, such as -s, -d or -c to be passed to the php-cgi binary,
which can be exploited to disclose source code and obtain arbitrary
code execution.

An example of the -s command, allowing an attacker to view the source
code of index.php is below:
http://localhost/index.php?-s

IMPACT
A remote unauthenticated attacker could obtain sensitive information,
cause a denial of service condition or may be able to execute
arbitrary code with the privileges of the web server.

This is fixed in PHP 5.3.12 and PHP 5.4.2.

@php, can we stabilize 5.3.12 now?
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2012-05-04 05:34:34 UTC
acked via IRC.

Arches, please test and mark stable:
=dev-lang/php-5.3.12
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 2 Marco Squarcina 2012-05-04 08:35:28 UTC
(In reply to comment #1)
> acked via IRC.
> 
> Arches, please test and mark stable:
> =dev-lang/php-5.3.12
> Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"

As far as I know, the issue has not been fixed in any PHP version yet. Please refear to the original advisory[1] for updates on the subject.

[1]: http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2012-05-04 14:23:47 UTC
Thanks, Marco.

Alright, the upstream fix is reportedly incomplete. CVE-2012-2311 has been assigned for the incomplete fix. Removing arches. Red Hat bug is at https://bugzilla.redhat.com/show_bug.cgi?id=818907; I do not see an new upstream bug.
Comment 4 Ole Markus With (RETIRED) gentoo-dev 2012-05-07 14:17:30 UTC
FYI: http://www.php.net/index.php#id2012-05-06-1

Will bump as soon as I spot the updates.
Comment 5 Ole Markus With (RETIRED) gentoo-dev 2012-05-08 17:23:07 UTC
5.3.13 in CVS now.
Comment 6 Tim Sammut (RETIRED) gentoo-dev 2012-05-08 17:25:40 UTC
Great, thank you.

Arches, please test and mark stable:
=dev-lang/php-5.3.13
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 7 Markos Chandras (RETIRED) gentoo-dev 2012-05-08 20:56:40 UTC
amd64 done
Comment 8 Jeff (JD) Horelick (RETIRED) gentoo-dev 2012-05-09 06:47:59 UTC
x86 stable
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2012-05-10 03:25:22 UTC
Stable for HPPA.
Comment 10 Brent Baude (RETIRED) gentoo-dev 2012-05-10 19:34:14 UTC
ppc64 done
Comment 11 Tobias Klausmann (RETIRED) gentoo-dev 2012-05-12 12:47:13 UTC
Stable on alpha.
Comment 12 Markus Meier gentoo-dev 2012-05-12 13:05:26 UTC
arm stable
Comment 13 Raúl Porcel (RETIRED) gentoo-dev 2012-05-12 16:33:23 UTC
ia64/s390/sh/sparc stable
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2012-05-20 23:43:22 UTC
CVE-2012-2336 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2336):
  sapi/cgi/cgi_main.c in PHP before 5.3.13 and 5.4.x before 5.4.3, when
  configured as a CGI script (aka php-cgi), does not properly handle query
  strings that lack an = (equals sign) character, which allows remote
  attackers to cause a denial of service (resource consumption) by placing
  command-line options in the query string, related to lack of skipping a
  certain php_getopt for the 'T' case.  NOTE: this vulnerability exists
  because of an incomplete fix for CVE-2012-1823.

CVE-2012-2335 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2335):
  php-wrapper.fcgi does not properly handle command-line arguments, which
  allows remote attackers to bypass a protection mechanism in PHP 5.3.12 and
  5.4.2 and execute arbitrary code by leveraging improper interaction between
  the PHP sapi/cgi/cgi_main.c component and a query string beginning with a +-
  sequence.

CVE-2012-2311 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2311):
  sapi/cgi/cgi_main.c in PHP before 5.3.13 and 5.4.x before 5.4.3, when
  configured as a CGI script (aka php-cgi), does not properly handle query
  strings that contain a %3D sequence but no = (equals sign) character, which
  allows remote attackers to execute arbitrary code by placing command-line
  options in the query string, related to lack of skipping a certain
  php_getopt for the 'd' case.  NOTE: this vulnerability exists because of an
  incomplete fix for CVE-2012-1823.

CVE-2012-1823 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1823):
  sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when
  configured as a CGI script (aka php-cgi), does not properly handle query
  strings that lack an = (equals sign) character, which allows remote
  attackers to execute arbitrary code by placing command-line options in the
  query string, related to lack of skipping a certain php_getopt for the 'd'
  case.
Comment 15 Brent Baude (RETIRED) gentoo-dev 2012-05-21 17:53:40 UTC
ppc done
Comment 16 Tim Sammut (RETIRED) gentoo-dev 2012-05-23 02:51:18 UTC
Thanks, everyone. Added to existing GLSA request.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2012-09-08 15:27:06 UTC
CVE-2011-1398 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1398):
  The sapi_header_op function in main/SAPI.c in PHP before 5.3.11 does not
  properly handle %0D sequences (aka carriage return characters), which allows
  remote attackers to bypass an HTTP response-splitting protection mechanism
  via a crafted URL, related to improper interaction between the PHP header
  function and certain browsers, as demonstrated by Internet Explorer and
  Google Chrome.
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2012-09-24 00:27:46 UTC
This issue was resolved and addressed in
 GLSA 201209-03 at http://security.gentoo.org/glsa/glsa-201209-03.xml
by GLSA coordinator Sean Amoss (ackle).