Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 234102 - dev-lang/php < 5.2.6-r6: arbitrary code execution, DoS, safe_mode bypass (CVE-2008-{3658,3659,3660})
Summary: dev-lang/php < 5.2.6-r6: arbitrary code execution, DoS, safe_mode bypass (CVE...
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High major (vote)
Assignee: Gentoo Security
Whiteboard: B1? [glsa]
: 229287 (view as bug list)
Depends on:
Blocks: 228369
  Show dependency tree
Reported: 2008-08-06 16:36 UTC by Christian Hoffmann (RETIRED)
Modified: 2008-11-16 16:15 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Christian Hoffmann (RETIRED) gentoo-dev 2008-08-06 16:36:18 UTC
Welcome to our monthly php security bug...

I'll be adding php-5.2.6-r6 in a minute, which contains several possibly security-relevant fixes:

#1 The patch for the recent pcre issue (bug 228091, CVE-2008-2371) has been
   updated (it now uses the official patch from pcre upstream, instead of
   the attached version to our bug).
   As far as I can see, this does not introduce any security-relevant

#2 Specially crafted font fails can lead to an overflow in ext/gd's
   imageloadfont() function; this is at least a DoS issue which might even
   allow for code execution; Pierre (gd maintainer) thinks it might well
   be possible that the font file is user-supplied in certain webapps,
   as such this could be a remote code execution vulnerability at worst.

#3 PHP (as cgi/fastcgi) crashes when accessing foo..php (double-dot);
   probably just a crash issue, at worst this could be called DoS

#4 PHP's ext/xmlrpc's xmlrpc_server_register_introspection_callback
   function crashes w/ invalid callbacks (local crash issue only)

#5 It was possible to circumvent safe_mode by using stream
   wrappers in functions which did not expect any.
   See bug 228369 for details (CVE-2008-2665, CVE-2008-2666)

#6 PHP's internal memnstr() function allowed for overflows. It is used by
   the PHP function explode() (which is very common and often works on
   user-supplied data). This at least allows for DoS and maybe even for
   code execution (local or remote, depending on the webapp).
   Some upstream developers seem to try to actively make this issue look
   less critical [1].

Comment 1 Christian Hoffmann (RETIRED) gentoo-dev 2008-08-06 17:47:35 UTC
Bleh, one of the patches introduces a strange segfault, which I am unable to track down quickly. This will have to wait for tomorrow then.
Comment 2 Christian Hoffmann (RETIRED) gentoo-dev 2008-08-07 10:25:19 UTC
*** Bug 229287 has been marked as a duplicate of this bug. ***
Comment 3 Christian Hoffmann (RETIRED) gentoo-dev 2008-08-07 10:31:48 UTC
#7 There was some memory corruption issue (would probably rather hard to

php-5.2.6-r6 is in the tree (the weird segfault I was referring to just happens in some edge cases and is not a regression, so this shouldn't prevent us from stabling this).

Issue #6 was previously tracked in bug 229287, btw.

Ready for stablization from my side.
Comment 4 Christian Hoffmann (RETIRED) gentoo-dev 2008-08-07 12:34:20 UTC
Arches, please test and stabilize:

Target keywords: alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86 ~x86-fbsd
To do: alpha arm hppa ia64 ppc ppc64 s390 sh sparc x86

Please note that there have been two versions of php-5.2.6-r6 in the tree. Both install the very same files, but the first version did not build on some systems. In short: If you see a build problem related to "yyerror" symbols, cvs up first. ;)
Comment 5 Markus Rothe (RETIRED) gentoo-dev 2008-08-07 18:40:24 UTC
ppc64 stable
Comment 6 Markus Meier gentoo-dev 2008-08-07 21:49:52 UTC
x86 stable, amd64 was already done by hoffie.
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2008-08-07 22:29:51 UTC
Stable for HPPA.
Comment 8 Raúl Porcel (RETIRED) gentoo-dev 2008-08-08 18:05:54 UTC
alpha/ia64/sparc stable
Comment 9 Tobias Scherbaum (RETIRED) gentoo-dev 2008-08-08 19:20:35 UTC
ppc stable
Comment 10 Christian Hoffmann (RETIRED) gentoo-dev 2008-08-13 09:25:21 UTC
CVE-2008-3658: #2 (gd issue)
CVE-2008-3659: #6 memnstr() overflow
CVE-2008-3660: #3 FastCGI-related "foo..php" crash
Comment 11 Christian Hoffmann (RETIRED) gentoo-dev 2008-10-07 17:29:04 UTC
Debian classifies this as RCE (#2 and #6).
Comment 12 Tobias Heinlein (RETIRED) gentoo-dev 2008-11-16 16:15:07 UTC
GLSA 200811-05, thanks everyone, especially hoffie.