Summary: | dev-lang/php: mod_php can overtake apache file handles (CVE-2003-1307) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Christian Hoffmann (RETIRED) <hoffie> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED OBSOLETE | ||
Severity: | normal | CC: | php-bugs |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | All | ||
URL: | http://bugs.php.net/bug.php?id=38915 | ||
Whiteboard: | ?? [upstream] | ||
Package list: | Runtime testing required: | --- |
Description
Christian Hoffmann (RETIRED)
2008-04-10 13:58:04 UTC
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2003-1307 lists statements from php upstream and redhat. debian says this: http://security-tracker.debian.net/tracker/CVE-2003-1307 I highly doubt we will ever see a fix for that. I think we have to live with it. Unfixable design flaw, as Debian says. Close as WONTFIX? Yes. I thought again about the reasons for this bug. As I researched this interesting issue, I found: https://issues.apache.org/bugzilla/show_bug.cgi?id=46425 So it's fixed in apache. Unfortunately this is still exploitable with apache 2.2.16 / php 5.2.14 (http://hackerdom.ru/~dimmo/phpexpl.c). Wow! Sending the -CONT signal to apache will make it work again. Maybe we better keep this open then. Sorry for the spam. Going through the PHP open bugs for security. Is this one still valid from 2003? (In reply to Yury German from comment #5) > Going through the PHP open bugs for security. > > Is this one still valid from 2003? Yeah, it still crashes apache-2.4. I am unable to reproduce this with the latest stable versions: www-servers/apache-2.4.18 dev-lang/php-5.6.19 This is disputed upstream due to how Apache handles the file descriptors. Anyone else able to reproduce on the latest tree stable versions? (In reply to Aaron Bauman from comment #7) > I am unable to reproduce this with the latest stable versions: > > www-servers/apache-2.4.18 > > dev-lang/php-5.6.19 > > This is disputed upstream due to how Apache handles the file descriptors. > > Anyone else able to reproduce on the latest tree stable versions? I wasn't able to reproduce it the last time I checked, but I forgot exactly what I tried in Comment #6. I'm also using a hardened kernel with a bunch of new security gadgets, so someone should at least try it on gentoo-sources. Tested this once again on gentoo-sources and vanilla-sources, and am unable to reproduce with any in tree Apache versions and PHP. Please re-open if anyone is able to reproduce. |