Summary: | <dev-lang/php-5.3.7: multiple vulnerabilities (CVE-2011-{2202,2483,3182,3267,3268}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | GLSAMaker/CVETool Bot <glsamaker> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | pasztor.janos, php-bugs, steffen.weber |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.php.net/archive/2011.php#id2011-08-18-1 | ||
Whiteboard: | A2 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 380513 | ||
Bug Blocks: | 380261 |
Description
GLSAMaker/CVETool Bot
2011-06-24 00:51:06 UTC
5.3.7 fixes a whole number of security issues. Also interesting: Seems we can get suhosin back for 5.3.7: http://twitter.com/#!/i0n1c/status/104194056384552960 (In reply to comment #1) > 5.3.7 fixes a whole number of security issues. Also interesting: Seems we can > get suhosin back for 5.3.7: > http://twitter.com/#!/i0n1c/status/104194056384552960 Yep. An update to the suhosin patch was released. I am not going to release 5.3.7 because of the crypt() breakage, but rather wait for 5.3.7pl1, 5.3.8 or whatever they end up calling it. I expect it should be released shortly. 5.3.8 is released and can be stabilised. You also need to stabilise dev-db/sqlite-3.7.7.1 Also note related bug 38026. This version includes suhosin, which may make some security people happy. (In reply to comment #3) > 5.3.8 is released and can be stabilised. > You also need to stabilise dev-db/sqlite-3.7.7.1 > > Also note related bug 38026. > > This version includes suhosin, which may make some security people happy. Great, thank you. Arches, please test and mark stable: =dev-lang/php-5.3.8 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86" Sorry for the bugspam. The correct target list is: Arches, please test and mark stable: =dev-lang/php-5.3.8 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86" =dev-db/sqlite-3.7.7.1 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86" Thanks, ago, for keeping me honest. (In reply to comment #3) > Also note related bug 38026. Probably not the bug you wanted to mention. (In reply to comment #6) > (In reply to comment #3) > > Also note related bug 38026. > > Probably not the bug you wanted to mention. Quite. Seems like I missed a bit. I was aiming for bug 380261. Sorry about that. Stable for HPPA. amd64 ok ppc/ppc64 stable x86 done. Thanks amd64 done. Thanks Agostino arm stable CVE-2011-3268 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3268): Buffer overflow in the crypt function in PHP before 5.3.7 allows context-dependent attackers to have an unspecified impact via a long salt argument, a different vulnerability than CVE-2011-2483. CVE-2011-3267 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3267): PHP before 5.3.7 does not properly implement the error_log function, which allows context-dependent attackers to cause a denial of service (application crash) via unspecified vectors. CVE-2011-3182 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3182): PHP before 5.3.7 does not properly check the return values of the malloc, calloc, and realloc library functions, which allows context-dependent attackers to cause a denial of service (NULL pointer dereference and application crash) or trigger a buffer overflow by leveraging the ability to provide an arbitrary value for a function argument, related to (1) ext/curl/interface.c, (2) ext/date/lib/parse_date.c, (3) ext/date/lib/parse_iso_intervals.c, (4) ext/date/lib/parse_tz.c, (5) ext/date/lib/timelib.c, (6) ext/pdo_odbc/pdo_odbc.c, (7) ext/reflection/php_reflection.c, (8) ext/soap/php_sdl.c, (9) ext/xmlrpc/libxmlrpc/base64.c, (10) TSRM/tsrm_win32.c, and (11) the strtotime function. alpha/ia64/s390/sh/sparc stable All arches done, Please add glsa request. Thanks, folks. Added to existing GLSA request. CVE-2011-2483 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2483): crypt_blowfish before 1.1, as used in PHP before 5.3.7 on certain platforms, does not properly handle 8-bit characters, which makes it easier for context-dependent attackers to determine a cleartext password by leveraging knowledge of a password hash. This issue was resolved and addressed in GLSA 201110-06 at http://security.gentoo.org/glsa/glsa-201110-06.xml by GLSA coordinator Tobias Heinlein (keytoaster). |