Summary: | <dev-lang/php-5.3.9: is_a() Change in Functional Behaviour Security Issue (CVE-2011-3379) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sean Amoss (RETIRED) <ackle> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | critical | CC: | ago, kfm, php-bugs |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugs.php.net/bug.php?id=55475 | ||
Whiteboard: | A1 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 396311, 396533 |
Description
Sean Amoss (RETIRED)
2011-09-24 14:35:07 UTC
CVE-2011-3379 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3379): The is_a function in PHP 5.3.7 and 5.3.8 triggers a call to the __autoload function, which makes it easier for remote attackers to execute arbitrary code by providing a crafted URL and leveraging potentially unsafe behavior in certain PEAR packages and custom autoloaders. @php The patch is at $URL, please bump it Sorry for taking so long commenting on this. Some comments from Matti and I: Firstly, the attack vector for this exploit is somewhat theoretical as it requires the programmer to write multiple sets of bad user land code, i.e installing this package in itself does not compromise your system. Secondly, PHP will release a version expected by the end of the next week which reverts the is_a behaviour. Not because of the related security issue, but because it breaks certain PEAR packages in ours and Ubuntu's tree. The bug mentions that current behaviour will be kept in 5.4 tho, but I did not check if this is really the case and upstream have not added any documentation about this in their reference. 5.3.9 containing the revert of is_a behaviour has been released. "Fixed bug #55475 (is_a() triggers autoloader, new optional 3rd argument to is_a and is_subclass_of). (alan_k)" Cheers, Ole Markus (In reply to comment #4) > 5.3.9 containing the revert of is_a behaviour has been released. > Shall we move forward to stabilization now via this bug? Tnx! I even got suhosin into this release (thanks to Hanno), so all good from my side. Great, thanks. Arches, please test and mark stable: =dev-lang/php-5.3.9 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86" amd64 stable x86 stable alpha/arm/ia64/s390/sh/sparc stable ppc/ppc64 done Stable for HPPA. Filed new glsa request This issue was resolved and addressed in GLSA 201209-03 at http://security.gentoo.org/glsa/glsa-201209-03.xml by GLSA coordinator Sean Amoss (ackle). |