Bug 261192 (CVE-2009-0754)

Summary:	dev-lang/php mbstring.func_overload privilege escalation (CVE-2009-0754)
Product:	Gentoo Security	Reporter:	Robert Buchholz (RETIRED) <rbu>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	php-bugs
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://cvsweb.php.net/viewvc.cgi/php-src/ext/mbstring/mbstring.c?r1=1.276&r2=1.277
Whiteboard:	B3 [glsa]
Package list:		Runtime testing required:	---

Description Robert Buchholz (RETIRED) gentoo-dev

2009-03-04 17:04:17 UTC

CVE-2009-0754 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0754):
  PHP 4.4.4, 5.1.6, and other versions, when running on Apache, allows
  local users to modify behavior of other sites hosted on the same web
  server by modifying the mbstring.func_overload setting within
  .htaccess, which causes this setting to be applied to other virtual
  hosts on the same server.

Comment 1 Stefan Behte (RETIRED) gentoo-dev

2009-03-07 18:51:45 UTC

We also have that code in php-5.2.8-r2 /ext/mbstring/mbstring.c, but on line 1067.

Patch: http://www.dfoerster.de/misc/php-27421.diff

rbu, why did you set whiteboard to "B3 [glsa?]" ?!

Comment 2 Robert Buchholz (RETIRED) gentoo-dev

2009-03-08 02:31:47 UTC

From my understanding, this might lead to data disclosure or denial of service, but does not allow for inejection of code into other contexts of apache. Maybe I am mistaken there?

Comment 3 Tobias Heinlein (RETIRED) gentoo-dev

2009-11-26 19:35:14 UTC

Seems to be fixed in recent PHP versions.

Comment 4 Tobias Heinlein (RETIRED) gentoo-dev

2010-01-05 21:13:44 UTC

GLSA 201001-03.

Thank you everyone, sorry about the delay.