Bug 228369

Summary:	dev-lang/php <5.2.6-r3: safe_mode bypass (CVE-2008-{2665,2666})
Product:	Gentoo Security	Reporter:	Hanno Böck <hanno>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	php-bugs
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://securityreason.com/achievement_securityalert/54
Whiteboard:	B2 [glsa]
Package list:		Runtime testing required:	---
Bug Depends on:	234102
Bug Blocks:

Description Hanno Böck gentoo-dev

2008-06-19 15:15:14 UTC

http://securityreason.com/achievement_securityalert/55
http://securityreason.com/achievement_securityalert/54

Comment 1 Christian Hoffmann (RETIRED) gentoo-dev

2008-06-19 16:48:30 UTC

Hijacking this bug for all the other security-related bug fixes.

-r2 will hit the tree in the near future (maybe it'll take a few days), containing these fixes:

#1 safe_mode bypass by prepending http:// to paths (see initial description
   of this bug + securityreason advisories)

#2 Bug 221969 (insecure c-client api calls allow for buffer overflows)
   This IMO allows for local code execution (as such bypassing safe_mode etc.)
   and maybe eben remote code execution when processing specially-crafted mails.

#3 Crash in stream_context_set_params()
   http://bugs.php.net/44712

#4 Crash in class PDORow
   Commit msg: "Add check for avoid segfault when trying instantiate
                PDORow manually"

#5 Crash (double free) in Dom->setAttributeNode
   http://bugs.php.net/45251
   Commit msg: "fixed bug #45251 (double free or corruption with
                setAttributeNode())"

#6 Crash in array functions under certain circumstances
   http://bugs.php.net/45312
   Commit msg: "Fixed bug #45312 (Segmentation fault on second request for
                array functions)"

Only #2 looks a bit more serious to me, the others are just crashes or safe_mode bypasses.

There is no fix for issue #1, I'll bug upstream...

Comment 2 Christian Hoffmann (RETIRED) gentoo-dev

2008-06-21 09:58:41 UTC

JFYI, issue #1 does not seem to be reproducible when enabling safe_mode via CLI (i.e. php -d safe_mode=on). It seems to work as expected in this case. If you want to reproduce it, use real files. :)

Comment 3 Christian Hoffmann (RETIRED) gentoo-dev

2008-07-02 21:54:06 UTC

Ignore comment #1, we'll handle the other issues in bug 230575.
Initial issue still unfixed, I've got a patch which needs some testing and an OK from upstream.

Comment 4 Christian Hoffmann (RETIRED) gentoo-dev

2008-07-21 19:42:59 UTC

I proposed two patches and have further discussed this issue with Felipe Pena from upstream. My fix got committed [1], so I'm going to include it in our next patchset revision.
I'll wait some days to see if this causes some unwanted false positive safe_mode warnings though.

[1] http://news.php.net/php.cvs/51348

Comment 5 Christian Hoffmann (RETIRED) gentoo-dev

2008-10-13 20:20:02 UTC

Updating whiteboard.

Comment 6 Tobias Heinlein (RETIRED) gentoo-dev

2008-11-16 16:14:57 UTC

GLSA 200811-05, thanks everyone, especially hoffie.