Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 131886 Details for
Bug 191034
dev-lang/php <5.2.4_p20070914-r2 Multiple issues
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
php-5.2.4-fixed-issues
php-5.2.4-fixed-issues (text/plain), 11.78 KB, created by
Robert Buchholz (RETIRED)
on 2007-09-25 18:49:27 UTC
(
hide
)
Description:
php-5.2.4-fixed-issues
Filename:
MIME Type:
Creator:
Robert Buchholz (RETIRED)
Created:
2007-09-25 18:49:27 UTC
Size:
11.78 KB
patch
obsolete
> >********************************* FIXED ******************************* > >CVE-2007-4887: > The dl function in PHP 5.2.4 and earlier allows context-dependent > attackers to cause a denial of service (application crash) via a long > string in the library parameter. NOTE: there are limited usage > scenarios under which this would be a vulnerability. >* FIXED IN SNAPSHOT > > >CVE-2007-4840: > PHP 5.2.4 and earlier allows context-dependent attackers to cause a > denial of service (application crash) via (1) a long string in the > out_charset parameter to the iconv function; or a long string in the > charset parameter to the (2) iconv_mime_decode_headers, (3) > iconv_mime_decode, or (4) iconv_strlen function. NOTE: this might not > be a vulnerability in most web server environments that support > multiple threads, unless these issues can be demonstrated for code > execution. >* WORKAROUND, GLIBC BUG >* <hoffie> ... beside the cve not listing all vulnerable functions. > xmlrpc* stuff also seems to use iconv internally and the output > handler of ext/iconv wasn't mentioned in the cve either > > >CVE-2007-4825: > Directory traversal vulnerability in PHP 5.2.4 and earlier allows > attackers to bypass open_basedir restrictions and possibly execute > arbitrary code via a .. (dot dot) in the dl function. >* FIXED IN SNAPSHOT > > >CVE-2007-4784: > The setlocale function in PHP before 5.2.4 allows context-dependent > attackers to cause a denial of service (application crash) via a long > string in the locale parameter. NOTE: this might not be a > vulnerability in most web server environments that support multiple > threads, unless this issue can be demonstrated for code execution. >* RELEASE >* FIXED BEFORE > > >CVE-2007-4783: > The iconv_substr function in PHP 5.2.4 and earlier allows > context-dependent attackers to cause (1) a denial of service > (application crash) via a long string in the charset parameter, > probably also requiring a long string in the str parameter; or (2) a > denial of service (temporary application hang) via a long string in > the str parameter. NOTE: this might not be a vulnerability in most > web server environments that support multiple threads, unless these > issues can be demonstrated for code execution. >* WORKAROUND, GLIBC BUG > > >CVE-2007-4782: > PHP before 5.2.3 allows context-dependent attackers to cause a denial > of service (application crash) via (1) a long string in the pattern > parameter to the glob function; or (2) a long string in the string > parameter to the fnmatch function, accompanied by a pattern parameter > value with undefined characteristics, as demonstrated by a "*[1]e" > value. NOTE: this might not be a vulnerability in most web server > environments that support multiple threads, unless these issues can be > demonstrated for code execution. >* RELEASE > > >CVE-2007-4727: > Buffer overflow in the fcgi_env_add function in > mod_proxy_backend_fastcgi.c in the mod_fastcgi extension in lighttpd > before 1.4.18 allows remote attackers to overwrite arbitrary CGI > variables and execute arbitrary code via an HTTP request with a long > content length, as demonstrated by overwriting the SCRIPT_FILENAME > variable, aka a "header overflow." >* SNAPSHOT > > >CVE-2007-4670: > Unspecified vulnerability in PHP before 5.2.4 has unknown impact and > attack vectors, related to an "Improved fix for MOPB-03-2007," > probably a variant of CVE-2007-1285. >* RELEASE >* CHLOG: Improved fix for MOPB-03-2007. (Ilia) > > >CVE-2007-4663: > Directory traversal vulnerability in PHP before 5.2.4 allows attackers > to bypass open_basedir restrictions via unspecified vectors involving > the glob function. >* RELEASE >* CHLOG: Fixed bug #41655 (open_basedir bypass via glob()). (Ilia) > > >CVE-2007-4662: > Buffer overflow in the php_openssl_make_REQ function in PHP before > 5.2.4 has unknown impact and attack vectors. >* RELEASE >* Fixed bug #42222 (possible buffer overflow in php_openssl_make_REQ). (Pierre) > > >CVE-2007-4661: > The chunk_split function in string.c in PHP 5.2.3 does not properly > calculate the needed buffer size due to precision loss when performing > integer arithmetic with floating point numbers, which has unknown > attack vectors and impact, possibly resulting in a heap-based buffer > overflow. NOTE: this is due to an incomplete fix for CVE-2007-2872. >* RELEASE >* ISN'T THIS THE SAME AS THE NEXT ONE? (CVE-2007-4660) > > >CVE-2007-4660: > Unspecified vulnerability in the chunk_split function in PHP before > 5.2.4 has unknown impact and attack vectors, related to an incorrect > size calculation. >* RELEASE >* CHLOG: Fixed size calculation in chunk_split(). (Stas) > > >CVE-2007-4659: > The zend_alter_ini_entry function in PHP before 5.2.4 does not > properly handle an interruption to the flow of execution triggered by > a memory_limit violation, which has unknown impact and attack vectors. >* RELEASE >* CHLOG: Fixed zend_alter_ini_entry() memory_limit interruption vulnerability. (Ilia) > > >CVE-2007-4658: > The money_format function in PHP before 5.2.4 permits multiple (1) %i > and (2) %n tokens, which has unknown impact and attack vectors, > possibly related to a format string vulnerability. >* RELEASE >* CHLOG: Fixed money_format() not to accept multiple %i or %n tokens. (Stas, Ilia) > > >CVE-2007-4657: > Multiple integer overflows in PHP 4 before 4.4.8, and PHP 5 before > 5.2.4, allow remote attackers to obtain sensitive information (memory > contents) or cause a denial of service (thread crash) via a large len > value to the (1) strspn or (2) strcspn function, which triggers an > out-of-bounds read. NOTE: this affects different product versions > than CVE-2007-3996. >* RELEASE >* CHLOG: Fixed integer overflow in str[c]spn(). (Stas) > > >CVE-2007-4652: > The session extension in PHP before 5.2.4 might allow local users to > bypass open_basedir restrictions via a session file that is a symlink. >* RELEASE >* Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir bypass). (Ilia) > > >CVE-2007-3998: > The wordwrap function in PHP 4 before 4.4.8, and PHP 5 before 5.2.4, > does not properly use the breakcharlen variable, which allows remote > attackers to cause a denial of service (divide-by-zero error and > application crash, or infinite loop) via certain arguments, as > demonstrated by a 'chr(0), 0, ""' argument set. >* RELEASE >* CHLOG: Fixed "Floating point exception" inside wordwrap(). (Mattias Bengtsson, Ilia) > > >CVE-2007-3997: > The (1) MySQL and (2) MySQLi extensions in PHP 4 before 4.4.8, and PHP > 5 before 5.2.4, allow remote attackers to bypass safe_mode and > open_basedir restrictions via MySQL LOCAL INFILE operations, as > demonstrated by a query with LOAD DATA LOCAL INFILE. >* RELEASE >* CHLOG: Fixed INFILE LOCAL option handling with MySQL extensions > not to be allowed when open_basedir or safe_mode is active. (Stas) > > >CVE-2007-3996: > Multiple integer overflows in libgd in PHP before 5.2.4 allow remote > attackers to cause a denial of service (application crash) and > possibly execute arbitrary code via a large (1) srcW or (2) srcH value > to the (a) gdImageCopyResized function, or a large (3) sy (height) or > (4) sx (width) value to the (b) gdImageCreate or the (c) > gdImageCreateTrueColor function. >* RELEASE >* CHLOG: Fixed several integer overflows in ImageCreate(), ImageCreateTrueColor(), > ImageCopyResampled() and ImageFilledPolygon() reported by Mattias Bengtsson. (Tony) > > >CVE-2007-3806: > The glob function in PHP 5.2.3 allows context-dependent attackers to > cause a denial of service and possibly execute arbitrary code via an > invalid value of the flags parameter, probably related to memory > corruption or an invalid read on win32 platforms, and possibly related > to lack of initialization for a glob structure. >* RELEASE >* CHLOG: Fixed possible invalid read in glob() win32 implementation (CVE-2007-3806). (Tony) > > >CVE-2007-3378: > The (1) session_save_path, (2) ini_set, and (3) error_log functions in > PHP 4.4.7 and earlier, and PHP 5 5.2.3 and earlier, when invoked from > a .htaccess file, allow remote attackers to bypass safe_mode and > open_basedir restrictions and possibly execute arbitrary commands via > php_value directives in .htaccess. >* RELEASE >* CHLOG: Fixed session.save_path and error_log values to be checked > against open_basedir and safe_mode (CVE-2007-3378) (Stas, > Maksymilian Arciemowicz) > > >CVE-2007-2872: > Multiple integer overflows in the chunk_split function in PHP 5 before > 5.2.3 allow remote attackers to cause a denial of service (crash) or > execute arbitrary code via the (1) chunks, (2) srclen, and (3) > chunklen arguments. >* RELEASE >* CHLOG: Corrected fix for CVE-2007-2872. (Ilia) > > > >********************************* UNFIXED ***************************** > >CVE-2007-4889: > The MySQL extension in PHP 5.2.4 and earlier allows remote attackers > to bypass safe_mode and open_basedir restrictions via the MySQL (1) > LOAD_FILE, (2) INTO DUMPFILE, and (3) INTO OUTFILE functions, a > different issue than CVE-2007-3997. >* UNFIXED >* <hoffie> rbu: CVE-2007-4889 this hasn't been fixed and will probably never be -> mysql configuration issue > > > >************************* NONE OF OUR BUSINESS ************************* > >CVE-2007-4596: > The perl extension in PHP does not follow safe_mode restrictions, > which allows context-dependent attackers to execute arbitrary code via > the Perl eval function. NOTE: this might only be a vulnerability in > limited environments. >* NONE OF OUR BUSINESS > > >CVE-2007-4507: > Multiple buffer overflows in the php_ntuser component for PHP 5.2.3 > allow context-dependent attackers to cause a denial of service or > execute arbitrary code via long arguments to the (1) > ntuser_getuserlist, (2) ntuser_getuserinfo, (3) ntuser_getusergroups, > or (4) ntuser_getdomaincontroller functions. >* NONE OF OUR BUSINESS > > >CVE-2007-4255: > Buffer overflow in the mSQL extension in PHP 5.2.3 allows > context-dependent attackers to execute arbitrary code via a long first > argument to the msql_connect function. >* NONE OF OUR BUSINESS > > >CVE-2007-4010: > The win32std extension in PHP 5.2.3 does not follow safe_mode and > disable_functions restrictions, which allows remote attackers to > execute arbitrary commands via the win_shell_execute function. >* NONE OF OUR BUSINESS > >CVE-2007-3790: > The com_print_typeinfo function in the bz2 extension in PHP 5.2.3 > allows context-dependent attackers to cause a denial of service via a > long argument. >* WINDOWS ONLY
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 191034
: 131886