********************************* FIXED ******************************* CVE-2007-4887: The dl function in PHP 5.2.4 and earlier allows context-dependent attackers to cause a denial of service (application crash) via a long string in the library parameter. NOTE: there are limited usage scenarios under which this would be a vulnerability. * FIXED IN SNAPSHOT CVE-2007-4840: PHP 5.2.4 and earlier allows context-dependent attackers to cause a denial of service (application crash) via (1) a long string in the out_charset parameter to the iconv function; or a long string in the charset parameter to the (2) iconv_mime_decode_headers, (3) iconv_mime_decode, or (4) iconv_strlen function. NOTE: this might not be a vulnerability in most web server environments that support multiple threads, unless these issues can be demonstrated for code execution. * WORKAROUND, GLIBC BUG * ... beside the cve not listing all vulnerable functions. xmlrpc* stuff also seems to use iconv internally and the output handler of ext/iconv wasn't mentioned in the cve either CVE-2007-4825: Directory traversal vulnerability in PHP 5.2.4 and earlier allows attackers to bypass open_basedir restrictions and possibly execute arbitrary code via a .. (dot dot) in the dl function. * FIXED IN SNAPSHOT CVE-2007-4784: The setlocale function in PHP before 5.2.4 allows context-dependent attackers to cause a denial of service (application crash) via a long string in the locale parameter. NOTE: this might not be a vulnerability in most web server environments that support multiple threads, unless this issue can be demonstrated for code execution. * RELEASE * FIXED BEFORE CVE-2007-4783: The iconv_substr function in PHP 5.2.4 and earlier allows context-dependent attackers to cause (1) a denial of service (application crash) via a long string in the charset parameter, probably also requiring a long string in the str parameter; or (2) a denial of service (temporary application hang) via a long string in the str parameter. NOTE: this might not be a vulnerability in most web server environments that support multiple threads, unless these issues can be demonstrated for code execution. * WORKAROUND, GLIBC BUG CVE-2007-4782: PHP before 5.2.3 allows context-dependent attackers to cause a denial of service (application crash) via (1) a long string in the pattern parameter to the glob function; or (2) a long string in the string parameter to the fnmatch function, accompanied by a pattern parameter value with undefined characteristics, as demonstrated by a "*[1]e" value. NOTE: this might not be a vulnerability in most web server environments that support multiple threads, unless these issues can be demonstrated for code execution. * RELEASE CVE-2007-4727: Buffer overflow in the fcgi_env_add function in mod_proxy_backend_fastcgi.c in the mod_fastcgi extension in lighttpd before 1.4.18 allows remote attackers to overwrite arbitrary CGI variables and execute arbitrary code via an HTTP request with a long content length, as demonstrated by overwriting the SCRIPT_FILENAME variable, aka a "header overflow." * SNAPSHOT CVE-2007-4670: Unspecified vulnerability in PHP before 5.2.4 has unknown impact and attack vectors, related to an "Improved fix for MOPB-03-2007," probably a variant of CVE-2007-1285. * RELEASE * CHLOG: Improved fix for MOPB-03-2007. (Ilia) CVE-2007-4663: Directory traversal vulnerability in PHP before 5.2.4 allows attackers to bypass open_basedir restrictions via unspecified vectors involving the glob function. * RELEASE * CHLOG: Fixed bug #41655 (open_basedir bypass via glob()). (Ilia) CVE-2007-4662: Buffer overflow in the php_openssl_make_REQ function in PHP before 5.2.4 has unknown impact and attack vectors. * RELEASE * Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) CVE-2007-4661: The chunk_split function in string.c in PHP 5.2.3 does not properly calculate the needed buffer size due to precision loss when performing integer arithmetic with floating point numbers, which has unknown attack vectors and impact, possibly resulting in a heap-based buffer overflow. NOTE: this is due to an incomplete fix for CVE-2007-2872. * RELEASE * ISN'T THIS THE SAME AS THE NEXT ONE? (CVE-2007-4660) CVE-2007-4660: Unspecified vulnerability in the chunk_split function in PHP before 5.2.4 has unknown impact and attack vectors, related to an incorrect size calculation. * RELEASE * CHLOG: Fixed size calculation in chunk_split(). (Stas) CVE-2007-4659: The zend_alter_ini_entry function in PHP before 5.2.4 does not properly handle an interruption to the flow of execution triggered by a memory_limit violation, which has unknown impact and attack vectors. * RELEASE * CHLOG: Fixed zend_alter_ini_entry() memory_limit interruption vulnerability. (Ilia) CVE-2007-4658: The money_format function in PHP before 5.2.4 permits multiple (1) %i and (2) %n tokens, which has unknown impact and attack vectors, possibly related to a format string vulnerability. * RELEASE * CHLOG: Fixed money_format() not to accept multiple %i or %n tokens. (Stas, Ilia) CVE-2007-4657: Multiple integer overflows in PHP 4 before 4.4.8, and PHP 5 before 5.2.4, allow remote attackers to obtain sensitive information (memory contents) or cause a denial of service (thread crash) via a large len value to the (1) strspn or (2) strcspn function, which triggers an out-of-bounds read. NOTE: this affects different product versions than CVE-2007-3996. * RELEASE * CHLOG: Fixed integer overflow in str[c]spn(). (Stas) CVE-2007-4652: The session extension in PHP before 5.2.4 might allow local users to bypass open_basedir restrictions via a session file that is a symlink. * RELEASE * Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) CVE-2007-3998: The wordwrap function in PHP 4 before 4.4.8, and PHP 5 before 5.2.4, does not properly use the breakcharlen variable, which allows remote attackers to cause a denial of service (divide-by-zero error and application crash, or infinite loop) via certain arguments, as demonstrated by a 'chr(0), 0, ""' argument set. * RELEASE * CHLOG: Fixed "Floating point exception" inside wordwrap(). (Mattias Bengtsson, Ilia) CVE-2007-3997: The (1) MySQL and (2) MySQLi extensions in PHP 4 before 4.4.8, and PHP 5 before 5.2.4, allow remote attackers to bypass safe_mode and open_basedir restrictions via MySQL LOCAL INFILE operations, as demonstrated by a query with LOAD DATA LOCAL INFILE. * RELEASE * CHLOG: Fixed INFILE LOCAL option handling with MySQL extensions not to be allowed when open_basedir or safe_mode is active. (Stas) CVE-2007-3996: Multiple integer overflows in libgd in PHP before 5.2.4 allow remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a large (1) srcW or (2) srcH value to the (a) gdImageCopyResized function, or a large (3) sy (height) or (4) sx (width) value to the (b) gdImageCreate or the (c) gdImageCreateTrueColor function. * RELEASE * CHLOG: Fixed several integer overflows in ImageCreate(), ImageCreateTrueColor(), ImageCopyResampled() and ImageFilledPolygon() reported by Mattias Bengtsson. (Tony) CVE-2007-3806: The glob function in PHP 5.2.3 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via an invalid value of the flags parameter, probably related to memory corruption or an invalid read on win32 platforms, and possibly related to lack of initialization for a glob structure. * RELEASE * CHLOG: Fixed possible invalid read in glob() win32 implementation (CVE-2007-3806). (Tony) CVE-2007-3378: The (1) session_save_path, (2) ini_set, and (3) error_log functions in PHP 4.4.7 and earlier, and PHP 5 5.2.3 and earlier, when invoked from a .htaccess file, allow remote attackers to bypass safe_mode and open_basedir restrictions and possibly execute arbitrary commands via php_value directives in .htaccess. * RELEASE * CHLOG: Fixed session.save_path and error_log values to be checked against open_basedir and safe_mode (CVE-2007-3378) (Stas, Maksymilian Arciemowicz) CVE-2007-2872: Multiple integer overflows in the chunk_split function in PHP 5 before 5.2.3 allow remote attackers to cause a denial of service (crash) or execute arbitrary code via the (1) chunks, (2) srclen, and (3) chunklen arguments. * RELEASE * CHLOG: Corrected fix for CVE-2007-2872. (Ilia) ********************************* UNFIXED ***************************** CVE-2007-4889: The MySQL extension in PHP 5.2.4 and earlier allows remote attackers to bypass safe_mode and open_basedir restrictions via the MySQL (1) LOAD_FILE, (2) INTO DUMPFILE, and (3) INTO OUTFILE functions, a different issue than CVE-2007-3997. * UNFIXED * rbu: CVE-2007-4889 this hasn't been fixed and will probably never be -> mysql configuration issue ************************* NONE OF OUR BUSINESS ************************* CVE-2007-4596: The perl extension in PHP does not follow safe_mode restrictions, which allows context-dependent attackers to execute arbitrary code via the Perl eval function. NOTE: this might only be a vulnerability in limited environments. * NONE OF OUR BUSINESS CVE-2007-4507: Multiple buffer overflows in the php_ntuser component for PHP 5.2.3 allow context-dependent attackers to cause a denial of service or execute arbitrary code via long arguments to the (1) ntuser_getuserlist, (2) ntuser_getuserinfo, (3) ntuser_getusergroups, or (4) ntuser_getdomaincontroller functions. * NONE OF OUR BUSINESS CVE-2007-4255: Buffer overflow in the mSQL extension in PHP 5.2.3 allows context-dependent attackers to execute arbitrary code via a long first argument to the msql_connect function. * NONE OF OUR BUSINESS CVE-2007-4010: The win32std extension in PHP 5.2.3 does not follow safe_mode and disable_functions restrictions, which allows remote attackers to execute arbitrary commands via the win_shell_execute function. * NONE OF OUR BUSINESS CVE-2007-3790: The com_print_typeinfo function in the bz2 extension in PHP 5.2.3 allows context-dependent attackers to cause a denial of service via a long argument. * WINDOWS ONLY