Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 64223

Summary: <=dev-php/php: two vulnerabilities
Product: Gentoo Security Reporter: Matthias Geerdsen (RETIRED) <vorlon>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: php-bugs
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
URL: http://securitytracker.com/alerts/2004/Sep/1011307.html
Whiteboard: A4 [glsa] krispy
Package list:
Runtime testing required: ---

Description Matthias Geerdsen (RETIRED) gentoo-dev 2004-09-16 01:24:28 UTC
2 vulnerabilities have been found in php... the second one only seem to affect PHP5 which is ~arch masked atm

_________________________________________________
http://securitytracker.com/alerts/2004/Sep/1011307.html :

PHP Array Processing Error in Handling RFC1867 MIME Formatting May Let Remote Users Overwrite Memory
CVE Reference:  GENERIC-MAP-NOMATCH

Impact:  Modification of system information, Modification of user information
Fix Available:  Yes   Vendor Confirmed:  Yes  

Version(s): 5.0.1 and prior versions

Description:
A vulnerability was reported in PHP in the processing of MIME data. A remote user may be able to cause memory to be overwritten.

Stefano Di Paola reported that there is an array processing error in the SAPI_POST_HANDLER_FUNC() function 'rfc1867.c'. A remote user may be able to cause the $_FILES array elements to be overwritten.

Impact:
A remote user may be able to overwrite memory on the target system.

Solution:
A fix is available via CVS at: http://cvs.php.net/php-src/main/rfc1867.c

____________________________________________________________________

http://securitytracker.com/alerts/2004/Sep/1011279.html :

PHP Array Parsing Error in php_variables May Disclose Memory Contents via phpinfo()
SecurityTracker Alert ID:  1011279

CVE Reference:  GENERIC-MAP-NOMATCH

Impact:
Disclosure of system information, Disclosure of user information
Fix Available:  Yes   Exploit Included:  Yes   Vendor Confirmed:  Yes  

Version(s): 5.0 - 5.0.1

Description:
A vulnerability was reported in PHP in the phpinfo() function. A remote user may be able to obtain memory contents.

Stefano Di Paola reported that an array parsing error in 'php_variables.c' may cause the system to display arbitrary memory contents. A remote user can append a GET, POST, or COOKIE variable array to a request to trigger the flaw.

A demonstration exploit is shown [where 'phpinfo.php' contains the phpinfo() function]:

$ curl "http://www.example.com/phpinfo.php" -d `perl -e 'print "f"x100;print "[g][=1"'`

Alternately, the file may contain a print_r($_REQUEST) function call.

Impact:
A remote user may be able to obtain random memory contents.

Solution:
A fix is available via CVS:
http://chora.php.net/php-src/main/php_variables.c
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2004-09-16 03:43:11 UTC
Not sure the provided patch applies to PHP4...
PHP team, please comment.
Comment 2 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2004-09-16 04:50:17 UTC
It doesn't look to me like this affects PHP4...
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2004-09-16 05:20:29 UTC
Theorically, the RFC1867 thing affects all versions (but I didn't check the code, you tell me). The other (phpinfo leak) specifically affects version 5.x.
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2004-09-16 09:02:52 UTC
KrispyKringle, you will coordinate this one.
Comment 5 Dan Margolis (RETIRED) gentoo-dev 2004-09-16 09:55:44 UTC
Seems to me that http://cvs.php.net/php-src/main/rfc1867.c contains a fix for both the 5.0 and the 4.3 branches. 

PHP team, we're waiting on you. 
Comment 6 Dan Margolis (RETIRED) gentoo-dev 2004-09-20 07:37:42 UTC
PHP team, this is a fairly minor patch. Would someone give me some indication that something is being done? :) Thanks. 
Comment 7 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2004-09-20 08:43:35 UTC
work in progress now.
php-5.0.1-securityfix.tgz on the mirrors with two patches for PHP5.0.1

For the PHP4 series I'm just going to roll out 4.3.9rc3 which contains the fixes already.
Comment 8 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2004-09-24 08:55:36 UTC
upstream has released 4.3.9 and 5.0.2, which roll these fixes and more in.
Should have them in the tree and tested on my side by the end of the day.
Comment 9 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2004-09-24 11:29:38 UTC
in cvs now.
still testing them.
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2004-09-27 02:18:41 UTC
Target keywords for PHP 4.3.9 : "x86 ppc sparc alpha hppa amd64 ia64 ~s390 ppc64"
No stable keywords needed for PHP 5.0.2.

Arches, please mark dev-php/php-4.3.9 stable.
Comment 11 Jochen Maes (RETIRED) gentoo-dev 2004-09-27 04:40:39 UTC
stable on ppc
Comment 12 Gustavo Zacarias (RETIRED) gentoo-dev 2004-09-27 12:38:55 UTC
mod_php-4.3.9, php-4.3.9 & php-cgi-4.3.9 sparc stable.
AFAIK the three packages should be stable and not just php-4.3.9, please tell ppc because they just missed the others :)
Comment 13 Thierry Carrez (RETIRED) gentoo-dev 2004-09-27 13:58:31 UTC
Thx Gustavo for pointing that out.

Target keywords are :
dev-php/php-4.3.9     : "x86 ppc sparc alpha hppa amd64 ia64 ~s390 ppc64"
dev-php/mod_php-4.3.9 : "x86 ppc sparc alpha hppa amd64 ia64 ~s390"
dev-php/php-cgi-4.3.9 : "x86 sparc alpha hppa ppc ia64"

Recalling ppc who needs two more stable keywords.
Comment 14 Bryan Østergaard (RETIRED) gentoo-dev 2004-09-27 14:27:21 UTC
Stable on alpha.
Comment 15 Pieter Van den Abeele (RETIRED) gentoo-dev 2004-09-28 05:51:48 UTC
stable on ppc
Comment 16 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2004-09-28 10:33:28 UTC
4.3.9 stable on x86 - now that i've tested the crap out of it.

php-5.0.2 doesn't seem stable at all :-(.
Comment 17 SpanKY gentoo-dev 2004-09-28 11:20:05 UTC
ia64 has those three packages (4.3.9) stable now
Comment 18 Dan Margolis (RETIRED) gentoo-dev 2004-09-28 12:41:45 UTC
Why are we closing this bug? Still waiting on amd64 to mark stable, and we still need a GLSA. 
Comment 19 Dan Margolis (RETIRED) gentoo-dev 2004-09-29 07:15:05 UTC
amd64, we need some loving. 
Comment 20 SpanKY gentoo-dev 2004-09-29 08:53:18 UTC
closing of bug was accident

building on hppa now
Comment 21 SpanKY gentoo-dev 2004-09-30 06:12:39 UTC
had a problem with sablotron but resolved that myself

hppa stable now
Comment 22 SpanKY gentoo-dev 2004-09-30 06:45:23 UTC
amd64 stable now, enjoy
Comment 23 Dan Margolis (RETIRED) gentoo-dev 2004-10-05 18:27:41 UTC
GLSA 200410-04
Comment 24 Tom Gall (RETIRED) gentoo-dev 2004-10-09 18:34:02 UTC
stable on ppc64, thanks!