Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 293888

Summary: <dev-lang/php-5.2.12: "multipart/form-data" denial of service (CVE-2009-{4017,4142,4143})
Product: Gentoo Security Reporter: Timo Rothweiler <tr.bgo>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: gef.kornflakes, php-bugs
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
URL: http://seclists.org/fulldisclosure/2009/Nov/228
Whiteboard: A3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 297399    
Bug Blocks: 297369, 297370    

Description Timo Rothweiler 2009-11-20 20:11:30 UTC
It seems that all versions of PHP < 5.3.1 seem to have a critical vulnerability to remote attacks. See provided URL.

Reproducible: Always
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2009-11-21 22:20:14 UTC
We need a 5.3 ebuild, and maybe also a backport? PHP herd, what's your opinion on this?

I cannot confirm crashes or a hanging apache on Gentoo, Debian and a version I self-compiled. The load just increases to something like ~12 but not further, no swapping or OOM-killing happens, it's just harddisk I/O. On a system with a fast SSD, I can't see any increase in the load, but I haven't tweaked the parameters yet.
Comment 2 Tobias Heinlein (RETIRED) gentoo-dev 2009-11-29 10:21:47 UTC
CVE-2009-4017 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4017):
  PHP 5.2.11, and 5.3.x before 5.3.1, does not restrict the number of
  temporary files created when handling a multipart/form-data POST
  request, which allows remote attackers to cause a denial of service
  (resource exhaustion), and makes it easier for remote attackers to
  exploit local file inclusion vulnerabilities, via multiple requests,
  related to lack of support for the max_file_uploads directive.

Comment 3 Tobias Heinlein (RETIRED) gentoo-dev 2009-12-21 15:46:08 UTC
Fixed in 5.2.12.
Comment 4 Tobias Heinlein (RETIRED) gentoo-dev 2009-12-30 15:31:20 UTC
Arches, please test and mark stable:
=dev-lang/php-5.2.12
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 5 Brent Baude (RETIRED) gentoo-dev 2009-12-31 13:57:45 UTC
ppc64 done
Comment 6 Christian Faulhammer (RETIRED) gentoo-dev 2009-12-31 16:08:57 UTC
x86 stable
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2009-12-31 17:11:09 UTC
Stable for HPPA.
Comment 8 Markus Meier gentoo-dev 2009-12-31 17:58:11 UTC
amd64/arm stable
Comment 9 Tobias Klausmann (RETIRED) gentoo-dev 2010-01-01 12:26:37 UTC
Stable on alpha.
Comment 10 Tobias Heinlein (RETIRED) gentoo-dev 2010-01-02 23:12:37 UTC
CVE-2009-4142 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4142):
  The htmlspecialchars function in PHP before 5.2.12 does not properly
  handle (1) overlong UTF-8 sequences, (2) invalid Shift_JIS sequences,
  and (3) invalid EUC-JP sequences, which allows remote attackers to
  conduct cross-site scripting (XSS) attacks by placing a crafted byte
  sequence before a special character.

CVE-2009-4143 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4143):
  PHP before 5.2.12 does not properly handle session data, which has
  unspecified impact and attack vectors related to (1) interrupt
  corruption of the SESSION superglobal array and (2) the
  session.save_path directive.

Comment 11 Joe Jezak (RETIRED) gentoo-dev 2010-01-05 02:23:31 UTC
Marked ppc stable.
Comment 12 Raúl Porcel (RETIRED) gentoo-dev 2010-01-05 19:54:48 UTC
ia64/s390/sh/sparc stable
Comment 13 Tobias Heinlein (RETIRED) gentoo-dev 2010-01-05 21:14:13 UTC
GLSA 201001-03.

Thank you everyone, sorry about the delay.