Bug 414553 (CVE-2012-1823)

Summary:	<dev-lang/php-5.3.13: Remote code execution vulnerability (CVE-2011-1398,CVE-2012-{1823,2311,2335,2336})
Product:	Gentoo Security	Reporter:	Tim Sammut (RETIRED) <underling>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	critical	CC:	borovoy.anton, kbonner, php-bugs
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://bugs.php.net/bug.php?id=61910
Whiteboard:	A1 [glsa]
Package list:		Runtime testing required:	---
Bug Depends on:
Bug Blocks:	410957

Description Tim Sammut (RETIRED) gentoo-dev

2012-05-04 04:04:30 UTC

From the upstream bug at $URL:

OVERVIEW
PHP-CGI-based setups contain a vulnerability when parsing query
string parameters from php files.

DESCRIPTION
According to PHP's website, "PHP is a widely-used general-purpose
scripting language that is especially suited for Web development and
can be embedded into HTML." When PHP is used in a CGI-based setup
(such as Apache's mod_cgid), the php-cgi receives a processed query
string parameter as command line arguments which allows command-line
switches, such as -s, -d or -c to be passed to the php-cgi binary,
which can be exploited to disclose source code and obtain arbitrary
code execution.

An example of the -s command, allowing an attacker to view the source
code of index.php is below:
http://localhost/index.php?-s

IMPACT
A remote unauthenticated attacker could obtain sensitive information,
cause a denial of service condition or may be able to execute
arbitrary code with the privileges of the web server.

This is fixed in PHP 5.3.12 and PHP 5.4.2.

@php, can we stabilize 5.3.12 now?

Comment 1 Tim Sammut (RETIRED) gentoo-dev

2012-05-04 05:34:34 UTC

acked via IRC.

Arches, please test and mark stable:
=dev-lang/php-5.3.12
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"

Comment 2 Marco Squarcina 2012-05-04 08:35:28 UTC

(In reply to comment #1)
> acked via IRC.
> 
> Arches, please test and mark stable:
> =dev-lang/php-5.3.12
> Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"

As far as I know, the issue has not been fixed in any PHP version yet. Please refear to the original advisory[1] for updates on the subject.

[1]: http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/

Comment 3 Tim Sammut (RETIRED) gentoo-dev

2012-05-04 14:23:47 UTC

Thanks, Marco.

Alright, the upstream fix is reportedly incomplete. CVE-2012-2311 has been assigned for the incomplete fix. Removing arches. Red Hat bug is at https://bugzilla.redhat.com/show_bug.cgi?id=818907; I do not see an new upstream bug.

Comment 4 Ole Markus With (RETIRED) gentoo-dev

2012-05-07 14:17:30 UTC

FYI: http://www.php.net/index.php#id2012-05-06-1

Will bump as soon as I spot the updates.

Comment 5 Ole Markus With (RETIRED) gentoo-dev

2012-05-08 17:23:07 UTC

5.3.13 in CVS now.

Comment 6 Tim Sammut (RETIRED) gentoo-dev

2012-05-08 17:25:40 UTC

Great, thank you.

Arches, please test and mark stable:
=dev-lang/php-5.3.13
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"

Comment 7 Markos Chandras (RETIRED) gentoo-dev

2012-05-08 20:56:40 UTC

amd64 done

Comment 8 Jeff (JD) Horelick (RETIRED) gentoo-dev

2012-05-09 06:47:59 UTC

x86 stable

Comment 9 Jeroen Roovers (RETIRED) gentoo-dev

2012-05-10 03:25:22 UTC

Stable for HPPA.

Comment 10 Brent Baude (RETIRED) gentoo-dev

2012-05-10 19:34:14 UTC

ppc64 done

Comment 11 Tobias Klausmann (RETIRED) gentoo-dev

2012-05-12 12:47:13 UTC

Stable on alpha.

Comment 12 Markus Meier gentoo-dev

2012-05-12 13:05:26 UTC

arm stable

Comment 13 Raúl Porcel (RETIRED) gentoo-dev

2012-05-12 16:33:23 UTC

ia64/s390/sh/sparc stable

Comment 14 GLSAMaker/CVETool Bot gentoo-dev

2012-05-20 23:43:22 UTC

CVE-2012-2336 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2336):
  sapi/cgi/cgi_main.c in PHP before 5.3.13 and 5.4.x before 5.4.3, when
  configured as a CGI script (aka php-cgi), does not properly handle query
  strings that lack an = (equals sign) character, which allows remote
  attackers to cause a denial of service (resource consumption) by placing
  command-line options in the query string, related to lack of skipping a
  certain php_getopt for the 'T' case.  NOTE: this vulnerability exists
  because of an incomplete fix for CVE-2012-1823.

CVE-2012-2335 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2335):
  php-wrapper.fcgi does not properly handle command-line arguments, which
  allows remote attackers to bypass a protection mechanism in PHP 5.3.12 and
  5.4.2 and execute arbitrary code by leveraging improper interaction between
  the PHP sapi/cgi/cgi_main.c component and a query string beginning with a +-
  sequence.

CVE-2012-2311 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2311):
  sapi/cgi/cgi_main.c in PHP before 5.3.13 and 5.4.x before 5.4.3, when
  configured as a CGI script (aka php-cgi), does not properly handle query
  strings that contain a %3D sequence but no = (equals sign) character, which
  allows remote attackers to execute arbitrary code by placing command-line
  options in the query string, related to lack of skipping a certain
  php_getopt for the 'd' case.  NOTE: this vulnerability exists because of an
  incomplete fix for CVE-2012-1823.

CVE-2012-1823 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1823):
  sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when
  configured as a CGI script (aka php-cgi), does not properly handle query
  strings that lack an = (equals sign) character, which allows remote
  attackers to execute arbitrary code by placing command-line options in the
  query string, related to lack of skipping a certain php_getopt for the 'd'
  case.

Comment 15 Brent Baude (RETIRED) gentoo-dev

2012-05-21 17:53:40 UTC

ppc done

Comment 16 Tim Sammut (RETIRED) gentoo-dev

2012-05-23 02:51:18 UTC

Thanks, everyone. Added to existing GLSA request.

Comment 17 GLSAMaker/CVETool Bot gentoo-dev

2012-09-08 15:27:06 UTC

CVE-2011-1398 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1398):
  The sapi_header_op function in main/SAPI.c in PHP before 5.3.11 does not
  properly handle %0D sequences (aka carriage return characters), which allows
  remote attackers to bypass an HTTP response-splitting protection mechanism
  via a crafted URL, related to improper interaction between the PHP header
  function and certain browsers, as demonstrated by Internet Explorer and
  Google Chrome.

Comment 18 GLSAMaker/CVETool Bot gentoo-dev

2012-09-24 00:27:46 UTC

This issue was resolved and addressed in
 GLSA 201209-03 at http://security.gentoo.org/glsa/glsa-201209-03.xml
by GLSA coordinator Sean Amoss (ackle).