Summary: | <dev-lang/php-5.2.12: "multipart/form-data" denial of service (CVE-2009-{4017,4142,4143}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Timo Rothweiler <tr.bgo> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | gef.kornflakes, php-bugs |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | All | ||
URL: | http://seclists.org/fulldisclosure/2009/Nov/228 | ||
Whiteboard: | A3 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 297399 | ||
Bug Blocks: | 297369, 297370 |
Description
Timo Rothweiler
2009-11-20 20:11:30 UTC
We need a 5.3 ebuild, and maybe also a backport? PHP herd, what's your opinion on this? I cannot confirm crashes or a hanging apache on Gentoo, Debian and a version I self-compiled. The load just increases to something like ~12 but not further, no swapping or OOM-killing happens, it's just harddisk I/O. On a system with a fast SSD, I can't see any increase in the load, but I haven't tweaked the parameters yet. CVE-2009-4017 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4017): PHP 5.2.11, and 5.3.x before 5.3.1, does not restrict the number of temporary files created when handling a multipart/form-data POST request, which allows remote attackers to cause a denial of service (resource exhaustion), and makes it easier for remote attackers to exploit local file inclusion vulnerabilities, via multiple requests, related to lack of support for the max_file_uploads directive. Fixed in 5.2.12. Arches, please test and mark stable: =dev-lang/php-5.2.12 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86" ppc64 done x86 stable Stable for HPPA. amd64/arm stable Stable on alpha. CVE-2009-4142 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4142): The htmlspecialchars function in PHP before 5.2.12 does not properly handle (1) overlong UTF-8 sequences, (2) invalid Shift_JIS sequences, and (3) invalid EUC-JP sequences, which allows remote attackers to conduct cross-site scripting (XSS) attacks by placing a crafted byte sequence before a special character. CVE-2009-4143 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4143): PHP before 5.2.12 does not properly handle session data, which has unspecified impact and attack vectors related to (1) interrupt corruption of the SESSION superglobal array and (2) the session.save_path directive. Marked ppc stable. ia64/s390/sh/sparc stable GLSA 201001-03. Thank you everyone, sorry about the delay. |