Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 185586 - dev-lang/php-5.2.X "glob()" Code Execution Vulnerability
Summary: dev-lang/php-5.2.X "glob()" Code Execution Vulnerability
Status: RESOLVED DUPLICATE of bug 180556
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/26085/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-07-16 19:15 UTC by Lars Hartmann
Modified: 2007-07-16 20:37 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Lars Hartmann 2007-07-16 19:15:53 UTC 
Description:
shinnai has discovered a vulnerability in PHP, which can be exploited by malicious, local users to bypass certain security restrictions.

The vulnerability is caused due to an error in the handling of an uninitialized structure inside the "glob()" function. This can be exploited to execute arbitrary code, which may lead to security restrictions (e.g. the "disable_functions" directive) being bypassed.

The vulnerability is confirmed in the 5.2.3 win32 installer. Other versions may also be affected.

Solution:
Grant only trusted users permissions to execute PHP code.

Provided and/or discovered by:
shinnai

Original Advisory:
http://milw0rm.com/exploits/4181

Reproducible: Always
Comment 1 Jakub Moc (RETIRED) gentoo-dev 2007-07-16 19:26:59 UTC 

*** This bug has been marked as a duplicate of bug 180556 ***
Comment 2 Christian Hoffmann (RETIRED) gentoo-dev 2007-07-16 20:37:57 UTC 
This bug is NOT a dup.
But I'm not sure whether we are affected by this at all. I asked some upstream devs and they had different explanations: either windows-only (happens there because of some glob() emulation code in php) or a glibc bug. A patch[1] was mentioned, but not commited to their csv until now.
The example exploit doesn't lead to any segfault or similar on my machine, so it might be really the case that only Windows is affected.

But let's see what upstream does with it...

[1] http://dev.daylessday.org/diff/glob.diff