Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 212211 (CVE-2008-0599) - dev-lang/php < 5.2.6_rc1-r1: Multiple crash issues, CVE-2008-0599
Summary: dev-lang/php < 5.2.6_rc1-r1: Multiple crash issues, CVE-2008-0599
Alias: CVE-2008-0599
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: A2? [glsa]
Depends on:
Reported: 2008-03-03 16:46 UTC by Christian Hoffmann (RETIRED)
Modified: 2008-11-16 16:14 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Christian Hoffmann (RETIRED) gentoo-dev 2008-03-03 16:46:43 UTC
Again, lots of crash fixes (think of DoS) and one security issue whose impact I don't know:
  1. CVE-2008-0599 [1] (that's all what the commit message says; it must be
     related to wrong logic when handling paths in CGI environments)
  2. Crash in metaphone(), see upstream bug 44242 [2].
     Looks like a buffer overflow, but only off-by-one and there will simply
     be written a ASCIIZ after the end of the allocated space -- this should
     not allow for code execution, imo, but I'm not exactly sure.
     This function might take user input in web apps, so it would be exploitable
  3. Crash in filter extension when using callbacks.
     Not many details except for the commit [3], doesn't look like a typical
     function which takes user input, so rather the problem of the developer
     and not a typical remote DoS problem.
  4. Crash in PDO when using "wrong" prepared statements, upstream
     bug 44200 [4]
     IMO this only happens when the code author already has wrong code, so not
     high priority either
  5. Crash in strftime() with large negative values, upstream bug 44216 [5].
     Some web apps might take such time stamps as user input => remote DoS
  6. Crash when using syslog + USE=threads (ZTS), upstream bug 44152 [6]
     Does not look like a controllable DoS and only seems to affect some very
     specific setups.
  7. Crash in PDO by passing invalid args to setAttribute, upstream
     bug 44159 [7].
     I don't think one is supposed to pass user input to this function => not
     a remote DoS problem.
  8. Crash in MySQLi extension [8], no clue about circumstances / other

Our snapshot (5.2.5_p*) *is* vulnerable to these problems, 5.2.6_rc1 (which I committed some hours ago) has all the fixes.

As always, blame upstream, don't blame me for the amount of possible security problems. =)

Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-03-03 18:18:40 UTC
/me blames upstream.

Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 release s390 sh sparc x86"
Comment 2 Markus Meier gentoo-dev 2008-03-03 20:55:44 UTC
x86 stable
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2008-03-03 23:58:39 UTC
Stable for HPPA.
Comment 4 Raúl Porcel (RETIRED) gentoo-dev 2008-03-04 12:26:47 UTC
alpha/ia64/sparc stable
Comment 5 Markus Rothe (RETIRED) gentoo-dev 2008-03-04 20:35:48 UTC
ppc64 stable
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2008-03-05 20:35:10 UTC
Sorry for the dance again, but a new php revbump fixes regressions, see ChangeLog.

Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 release s390 sh sparc x86"
Comment 7 Brent Baude (RETIRED) gentoo-dev 2008-03-06 03:02:57 UTC
ppc64 done
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2008-03-06 15:06:32 UTC
Stable for HPPA.

Exts skipped    :   31
Exts tested     :   48

Number of tests : 5452              3958
Tests skipped   : 1494 ( 27.4%) --------
Tests warned    :    1 (  0.0%) (  0.0%)
Tests failed    :   84 (  1.5%) (  2.1%)
Tests passed    : 3873 ( 71.0%) ( 97.9%)
Time taken      : 5056 seconds
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2008-03-06 15:59:08 UTC
alpha/ia64/sparc stable
Comment 10 Dawid Węgliński (RETIRED) gentoo-dev 2008-03-07 13:26:18 UTC
x86 stable
Comment 11 Peter Volkov (RETIRED) gentoo-dev 2008-03-08 19:33:50 UTC
amd64 stable.
Comment 12 Tobias Scherbaum (RETIRED) gentoo-dev 2008-03-09 08:07:50 UTC
ppc stable
Comment 13 Peter Volkov (RETIRED) gentoo-dev 2008-03-09 10:27:08 UTC
Fixed in release snapshot.
Comment 14 Robert Buchholz (RETIRED) gentoo-dev 2008-05-06 15:31:47 UTC
Name:      CVE-2008-0599
cgi_main.c in PHP before 5.2.6 does not properly calculate the length of
PATH_TRANSLATED, which has unknown impact and attack vectors.
Comment 15 Tobias Heinlein (RETIRED) gentoo-dev 2008-11-16 16:14:45 UTC
GLSA 200811-05, thanks everyone, especially hoffie.