============================ FIXED ============================ CVE-2007-3007: PHP 5 before 5.2.3 does not enforce the open_basedir or safe_mode restriction in certain cases, which allows context-dependent attackers to determine the existence of arbitrary files by checking if the readfile function returns a string. NOTE: this issue might also involve the realpath function. * FIXED IN 5.2.3 CVE-2007-2872: Multiple integer overflows in the chunk_split function in PHP 5 before 5.2.3 allow remote attackers to cause a denial of service (crash) or execute arbitrary code via the (1) chunks, (2) srclen, and (3) chunklen arguments. * CONFIRMED BY BUG * FIXED IN 5.2.3 CVE-2007-2756: The gdPngReadData function in libgd 2.0.34 allows user-assisted attackers to cause a denial of service (CPU consumption) via a crafted PNG image with truncated data, which causes an infinite loop in the png_read_info function in libpng. * CONFIRMED BY BUG * FIXED IN 5.2.3 CVE-2007-1900: CRLF injection vulnerability in the FILTER_VALIDATE_EMAIL filter in ext/filter in PHP 5.2.0 and 5.2.1 allows context-dependent attackers to inject arbitrary e-mail headers via an e-mail address with a '\n' character, which causes a regular expression to ignore the subsequent part of the address string. * FIXED IN 5.2.3 * (Mentioned in 200705-19, but not actually fixed) CVE-2007-1887: Buffer overflow in the sqlite_decode_binary function in the bundled sqlite library in PHP 4 before 4.4.5 and PHP 5 before 5.2.1 allows context-dependent attackers to execute arbitrary code via an empty value of the in parameter, as demonstrated by calling the sqlite_udf_decode_binary function with a 0x01 character. * CONFIRMED BY BUG * UPDATED FIX IN 5.2.3 CVE-NONE: "Fixed memory corruption when reading exif data of a non-file" in exif_read_data() and exif_thumbnail() MOPB-46-2007: PHP's ext/session does not URL encode the session id before placing it into the session cookie. Therefore characters with special meaning, like semicolons can be used to inject further cookie attributes into the session cookie. CVE-2007-1883: PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 allows context-dependent attackers to read arbitrary memory locations via an interruption that triggers a user space error handler that changes a parameter to an arbitrary pointer, as demonstrated via the iptcembed function, which calls certain convert_to_* functions with its input parameters. * PARTIALLY FIXED php5.2.3-zend-ini-memory-interruption-vuln.patch: "fix memory corruption if one on the on_modify handlers errors out" http://bugs.php.net/bug.php?id=41919 PHP will crash when trying to convert a string to an array with object as value, you get a segmentation fault. http://bugs.php.net/bug.php?id=41691 ArrayObject::exchangeArray crashes php ============================ UNFIXED ============================ CVE-2007-3205: The parse_str function in (1) PHP, (2) Hardened-PHP, and (3) Subhosin, when called without a second parameter, might allow remote attackers to overwrite arbitrary variables by specifying variable names and values in the string to be parsed. NOTE: it is not clear whether this is a design limitation of the function or a bug in PHP, although it is likely to be regarded as a bug in Hardened-PHP and Subhosin. * UNFIXED * Expected behaviour of this function. Wrong usage.