Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 74547

Summary: Multiple Vulnerabilities in PHP (CAN-2004-1018, CAN-2004-1019, CAN-2004-1063, CAN-2004-1064)
Product: Gentoo Security Reporter: Hanno Böck <hanno>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: critical CC: christian.korff, cycloon, php-bugs
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
URL: http://www.hardened-php.net/advisories/012004.txt
Whiteboard: A1 [glsa] jaervosz
Package list:
Runtime testing required: ---
Bug Depends on: 74627    
Bug Blocks:    
Attachments:
Description Flags
build log none

Description Hanno Böck gentoo-dev 2004-12-15 13:11:10 UTC
Stefan Esser has discovered various serious security issues in php (see link).
Updates to 4.3.10 and 5.0.3 with fixes are available.
Comment 1 Hanno Böck gentoo-dev 2004-12-15 14:06:58 UTC
After a quick test, it seems that just copying the php-5.0.2-r1.ebuild and mod_php-5.0.2.ebuild to 5.0.3 works.
Comment 2 Rajiv Aaron Manglani (RETIRED) gentoo-dev 2004-12-15 15:26:16 UTC

*** This bug has been marked as a duplicate of 72735 ***
Comment 3 Sune Kloppenborg Jeppesen gentoo-dev 2004-12-15 22:55:17 UTC
Reopening to handle stable marking. 
Comment 4 Sune Kloppenborg Jeppesen gentoo-dev 2004-12-15 22:58:55 UTC
Arches please mark 4.3.10 stable.

Comment 5 Jochen Maes (RETIRED) gentoo-dev 2004-12-16 00:24:17 UTC
stable on ppc
Comment 6 Sune Kloppenborg Jeppesen gentoo-dev 2004-12-16 01:28:42 UTC
*** Bug 74600 has been marked as a duplicate of this bug. ***
Comment 7 Markus Rothe (RETIRED) gentoo-dev 2004-12-16 02:19:17 UTC
stable on ppc64
Comment 8 Dylan Carlson (RETIRED) gentoo-dev 2004-12-16 02:40:10 UTC
stable on amd64.
Comment 9 Stuart Herbert (RETIRED) gentoo-dev 2004-12-16 02:46:16 UTC
Please make sure that you test & mark the following packages:

* dev-php/php-4.3.10
* dev-php/mod_php-4.3.10
* dev-php/php-cgi-4.3.10

PHP 5.0.2 wasn't marked stable, so we don't need (and shouldn't be!) marking PHP-5.0.3 as stable.

Best regards,
Stu
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2004-12-16 03:23:36 UTC
There are more fixed than just what was reported in Stefan's advisory :
See http://www.php.net/release_4_3_10.php

---------------------
CAN-2004-1018 - shmop_write() out of bounds memory write access.
CAN-2004-1018 - integer overflow/underflow in pack() and unpack() functions.
CAN-2004-1019 - possible information disclosure, double free and negative reference index array underflow in deserialization code.
CAN-2004-1020 - addslashes() not escaping \0 correctly.
CAN-2004-1063 - safe_mode execution directory bypass.
CAN-2004-1064 - arbitrary file access through path truncation.
CAN-2004-1065 - exif_read_data() overflow on long sectionname.
magic_quotes_gpc could lead to one level directory traversal with file uploads.
---------------------
Comment 11 Christian Birchinger (RETIRED) gentoo-dev 2004-12-16 04:32:17 UTC
Created attachment 46114 [details]
build log

4.3.10 doesn't build on my sparc
Comment 12 Gustavo Zacarias (RETIRED) gentoo-dev 2004-12-16 05:53:22 UTC
I'm getting the same (broken) results as Joker for my ultra.
Comment 13 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2004-12-16 06:11:17 UTC
Could you please trace the errors in the zend .c file that is referenced in your errors there.
Comment 14 Christian Gut 2004-12-16 08:17:12 UTC
(php|php-cgi)-4.3.10 built on two i386 machines FYI

Just had to fiddle with java and LDPATHs
Comment 15 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2004-12-16 10:31:15 UTC
Sparc: please see bug #74627 
I don't know why it didn't catch PPC.
Comment 16 Gustavo Zacarias (RETIRED) gentoo-dev 2004-12-16 10:41:48 UTC
Probably because ppc is including stdint.h, linux/types.h or bits/types.h somewhere else which sparc isn't.
I'm currently building fixed ebuilds for sparc, be back soon.
Comment 17 Gustavo Zacarias (RETIRED) gentoo-dev 2004-12-16 18:36:30 UTC
php-4.3.10, mod_php-4.3.10 & php-cgi-4.3.10 sparc stable with the fix. It's just applied for sparc since i won't have access to a ppc box until tomorrow and it seems it's required and/or could break them.
BTW, ppc forgot about php-cgi.
Comment 18 Bryan Østergaard (RETIRED) gentoo-dev 2004-12-17 02:47:56 UTC
Alpha stable.
Comment 19 Sune Kloppenborg Jeppesen gentoo-dev 2004-12-18 03:13:14 UTC
SeJo you forget to mark mod_php stable. See comment #9
Comment 20 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2004-12-18 04:23:12 UTC
ppc done.
Comment 21 Sune Kloppenborg Jeppesen gentoo-dev 2004-12-18 04:46:50 UTC
Thx Micheal, please remember to remove CC:-)
Comment 22 Thierry Carrez (RETIRED) gentoo-dev 2004-12-19 06:01:23 UTC
GLSA 200412-14
hppa, ia64, mips, s390 : please mark stable to benefit from GLSA.
Comment 23 Hardave Riar (RETIRED) gentoo-dev 2005-02-21 13:37:26 UTC
Mips Stable.
Comment 24 René Nussbaumer (RETIRED) gentoo-dev 2005-06-26 05:12:58 UTC
Already stable on hppa