Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 131973 Details for
Bug 180556
dev-lang/php Multiple issues (CVE-2007-{1887|1900|2756|2872})
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
php-5.2.3-fixed-issues
php-5.2.3-fixed-issues (text/plain), 3.89 KB, created by
Robert Buchholz (RETIRED)
on 2007-09-26 21:40:49 UTC
(
hide
)
Description:
php-5.2.3-fixed-issues
Filename:
MIME Type:
Creator:
Robert Buchholz (RETIRED)
Created:
2007-09-26 21:40:49 UTC
Size:
3.89 KB
patch
obsolete
>============================ FIXED ============================ > >CVE-2007-3007: > PHP 5 before 5.2.3 does not enforce the open_basedir or safe_mode > restriction in certain cases, which allows context-dependent attackers > to determine the existence of arbitrary files by checking if the > readfile function returns a string. NOTE: this issue might also > involve the realpath function. >* FIXED IN 5.2.3 > > >CVE-2007-2872: > Multiple integer overflows in the chunk_split function in PHP 5 before > 5.2.3 allow remote attackers to cause a denial of service (crash) or > execute arbitrary code via the (1) chunks, (2) srclen, and (3) > chunklen arguments. >* CONFIRMED BY BUG >* FIXED IN 5.2.3 > > >CVE-2007-2756: > The gdPngReadData function in libgd 2.0.34 allows user-assisted > attackers to cause a denial of service (CPU consumption) via a crafted > PNG image with truncated data, which causes an infinite loop in the > png_read_info function in libpng. >* CONFIRMED BY BUG >* FIXED IN 5.2.3 > > >CVE-2007-1900: > CRLF injection vulnerability in the FILTER_VALIDATE_EMAIL filter in > ext/filter in PHP 5.2.0 and 5.2.1 allows context-dependent attackers > to inject arbitrary e-mail headers via an e-mail address with a '\n' > character, which causes a regular expression to ignore the subsequent > part of the address string. >* FIXED IN 5.2.3 >* (Mentioned in 200705-19, but not actually fixed) > > >CVE-2007-1887: > Buffer overflow in the sqlite_decode_binary function in the bundled > sqlite library in PHP 4 before 4.4.5 and PHP 5 before 5.2.1 allows > context-dependent attackers to execute arbitrary code via an empty > value of the in parameter, as demonstrated by calling the > sqlite_udf_decode_binary function with a 0x01 character. >* CONFIRMED BY BUG >* UPDATED FIX IN 5.2.3 > > >CVE-NONE: > "Fixed memory corruption when reading exif data of a non-file" in > exif_read_data() and exif_thumbnail() > >MOPB-46-2007: > PHP's ext/session does not URL encode the session id > before placing it into the session cookie. Therefore characters with > special meaning, like semicolons can be used to inject further > cookie attributes into the session cookie. > > >CVE-2007-1883: > PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 allows > context-dependent attackers to read arbitrary memory locations via an > interruption that triggers a user space error handler that changes a > parameter to an arbitrary pointer, as demonstrated via the iptcembed > function, which calls certain convert_to_* functions with its input > parameters. >* PARTIALLY FIXED > > >php5.2.3-zend-ini-memory-interruption-vuln.patch: >"fix memory corruption if one on the on_modify handlers errors out" > > >http://bugs.php.net/bug.php?id=41919 >PHP will crash when trying to convert a string to an array with >object as value, you get a segmentation fault. > > >http://bugs.php.net/bug.php?id=41691 >ArrayObject::exchangeArray crashes php > > > >============================ UNFIXED ============================ > >CVE-2007-3205: > The parse_str function in (1) PHP, (2) Hardened-PHP, and (3) Subhosin, > when called without a second parameter, might allow remote attackers > to overwrite arbitrary variables by specifying variable names and > values in the string to be parsed. NOTE: it is not clear whether this > is a design limitation of the function or a bug in PHP, although it is > likely to be regarded as a bug in Hardened-PHP and Subhosin. >* UNFIXED >* Expected behaviour of this function. Wrong usage.
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 180556
:
121589
|
121591
|
121740
|
122723
| 131973