Bug 109669

Summary:	dev-php/{mod_php\|php} Possible local safedir restriction bypass
Product:	Gentoo Linux	Reporter:	Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>
Component:	New packages	Assignee:	PHP Bugs <php-bugs>
Status:	RESOLVED FIXED
Severity:	normal
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://www.securityfocus.com/archive/1/413596/30/0/threaded
Whiteboard:
Package list:		Runtime testing required:	---

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-10-17 22:57:42 UTC

Reported on Bugtraq, though not sure how secure safedir is in the first place: 
 
There is a vulnerability (local safedir restriction bypass) identified within 
the GD extension affecting 
 the following functions: 
 - imagegif() 
 - imagepng() 
 - imagejpeg() 
  
 in /ext/gd/gd.c line 1647 
  
 Which is now fixed in the cvs 
 http://cvs.php.net/co.php/php-src/ext/gd/gd.c?r=1.312.2.1#1786

Comment 1 Thierry Carrez (RETIRED) gentoo-dev

2005-10-18 00:51:00 UTC

Note: PHP devs do not consider basedir bypass using extensions as security
vulnerabilities. See bug 69643 for another example...

Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-10-19 10:39:41 UTC

Safedir is not safe -> reassigning to php-bugs.

Comment 3 Luca Longinotti (RETIRED) gentoo-dev

2005-11-03 08:44:11 UTC

Fixed in CVS with the latest revisions of all PHP packages.

For new-style PHP:
dev-lang/php-4.3.11-r3
dev-lang/php-4.4.0-r3
dev-lang/php-4.4.1
dev-lang/php-5.0.4-r3
dev-lang/php-5.0.5-r3

For old-style PHP:
dev-php/php-4.3.11-r3
dev-php/php-4.4.0-r3
dev-php/php-cgi-4.3.11-r4
dev-php/php-cgi-4.4.0-r4
dev-php/mod_php-4.3.11-r3 (old-style Apache config layout)
dev-php/mod_php-4.4.0-r6 (old-style Apache config layout)
dev-php/mod_php-4.4.0-r7 (new-style Apache config layout)

Best regards, CHTEKK.