Attachment 131973 Details for Bug 180556 – php-5.2.3-fixed-issues

php-5.2.3-fixed-issues

php-5.2.3-fixed-issues (text/plain), 3.89 KB, created by Robert Buchholz (RETIRED) on 2007-09-26 21:40:49 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Robert Buchholz (RETIRED)

Created: 2007-09-26 21:40:49 UTC

Size: 3.89 KB

patch

obsolete

>============================ FIXED ============================
>
>CVE-2007-3007:
>               PHP 5 before 5.2.3 does not enforce the open_basedir or safe_mode
>               restriction in certain cases, which allows context-dependent attackers
>               to determine the existence of arbitrary files by checking if the
>               readfile function returns a string.  NOTE: this issue might also
>               involve the realpath function.
>* FIXED IN 5.2.3
>
>
>CVE-2007-2872:
>               Multiple integer overflows in the chunk_split function in PHP 5 before
>               5.2.3 allow remote attackers to cause a denial of service (crash) or
>               execute arbitrary code via the (1) chunks, (2) srclen, and (3)
>               chunklen arguments.
>* CONFIRMED BY BUG
>* FIXED IN 5.2.3
>
>
>CVE-2007-2756:
>               The gdPngReadData function in libgd 2.0.34 allows user-assisted
>               attackers to cause a denial of service (CPU consumption) via a crafted
>               PNG image with truncated data, which causes an infinite loop in the
>               png_read_info function in libpng.
>* CONFIRMED BY BUG
>* FIXED IN 5.2.3
>
>
>CVE-2007-1900:
>               CRLF injection vulnerability in the FILTER_VALIDATE_EMAIL filter in
>               ext/filter in PHP 5.2.0 and 5.2.1 allows context-dependent attackers
>               to inject arbitrary e-mail headers via an e-mail address with a '\n'
>               character, which causes a regular expression to ignore the subsequent
>               part of the address string.
>* FIXED IN 5.2.3
>* (Mentioned in 200705-19, but not actually fixed)
>
>
>CVE-2007-1887:
>               Buffer overflow in the sqlite_decode_binary function in the bundled
>               sqlite library in PHP 4 before 4.4.5 and PHP 5 before 5.2.1 allows
>               context-dependent attackers to execute arbitrary code via an empty
>               value of the in parameter, as demonstrated by calling the
>               sqlite_udf_decode_binary function with a 0x01 character.
>* CONFIRMED BY BUG
>* UPDATED FIX IN 5.2.3
>
>
>CVE-NONE:
>               "Fixed memory corruption when reading exif data of a non-file" in
>               exif_read_data() and exif_thumbnail()
>
>MOPB-46-2007:
>               PHP's ext/session does not URL encode the session id
>               before placing it into the session cookie. Therefore characters with
>               special meaning, like semicolons can be used to inject further
>               cookie attributes into the session cookie.
>
>
>CVE-2007-1883:
>               PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 allows
>               context-dependent attackers to read arbitrary memory locations via an
>               interruption that triggers a user space error handler that changes a
>               parameter to an arbitrary pointer, as demonstrated via the iptcembed
>               function, which calls certain convert_to_* functions with its input
>               parameters.
>* PARTIALLY FIXED
>
>
>php5.2.3-zend-ini-memory-interruption-vuln.patch:
>"fix memory corruption if one on the on_modify handlers errors out"
>
>
>http://bugs.php.net/bug.php?id=41919
>PHP will crash when trying to convert a string to an array with
>object as value, you get a segmentation fault.
>
>
>http://bugs.php.net/bug.php?id=41691
>ArrayObject::exchangeArray crashes php
>
>
>
>============================ UNFIXED ============================
>
>CVE-2007-3205:
>               The parse_str function in (1) PHP, (2) Hardened-PHP, and (3) Subhosin,
>               when called without a second parameter, might allow remote attackers
>               to overwrite arbitrary variables by specifying variable names and
>               values in the string to be parsed.  NOTE: it is not clear whether this
>               is a design limitation of the function or a bug in PHP, although it is
>               likely to be regarded as a bug in Hardened-PHP and Subhosin.
>* UNFIXED
>* Expected behaviour of this function. Wrong usage.

Actions: View

Attachments on bug 180556: 121589 | 121591 | 121740 | 122723 | 131973