Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 249875 (CVE-2008-5498) - <dev-lang/php-5.2.8-r1: Multiple issues (CVE-2008-{5498,5557,5624,5625,5658,5814,5844})
Summary: <dev-lang/php-5.2.8-r1: Multiple issues (CVE-2008-{5498,5557,5624,5625,5658,5...
Status: RESOLVED FIXED
Alias: CVE-2008-5498
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.sektioneins.de/advisories/...
Whiteboard: A1 [glsa]
Keywords:
Depends on:
Blocks: 238127
  Show dependency tree
 
Reported: 2008-12-04 23:27 UTC by stupendoussteve
Modified: 2010-01-05 21:12 UTC (History)
6 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description stupendoussteve 2008-12-04 23:27:08 UTC
From Secunia: Stefan Esser has reported a vulnerability in PHP, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to an input validation error within the "ZipArchive::extractTo()" function when extracting ZIP archives. This can be exploited to extract files to arbitrary locations outside the specified directory via directory traversal sequences in a specially crafted ZIP archive.

Ref: http://secunia.com/Advisories/32964/

Reproducible: Always
Comment 1 stupendoussteve 2008-12-04 23:36:14 UTC
The advisory says this is fixed in php 5.2.7, which is not on the main php page but is on the mirrors. http://www.php.net/get/php-5.2.7.tar.bz2/from/a/mirror is functional.

From the actual advisory:
  To exploit this an attacker just needs to
  create a zip archive containing filenames like

     ../../../../../../../../../../../var/www/wr_dir/evil.php

  An easy way to achieve that is to just store a file with a long
  name inside the zip archive and then change it with a hex editor
Comment 2 Christian Hoffmann (RETIRED) gentoo-dev 2008-12-07 00:38:02 UTC
Bump will happen on this Sunday most likely, and it'll either end up being in p.mask or shipping a critical patch. Vanilla 5.2.7 has broken magic_quotes_gpc which may lead to severe security issues or render user-supplied data unusable.
Comment 3 Christian Hoffmann (RETIRED) gentoo-dev 2008-12-08 14:13:43 UTC
Upstream has dropped 5.2.7 and if we were to ship it with the magic_quotes_gpc fix it would just lead to confusion ("why does Gentoo ship it and upstream has removed it!?"), so we'll be waiting for the hopefully very soon to be released 5.2.8.
Comment 4 Christian Hoffmann (RETIRED) gentoo-dev 2008-12-08 23:31:50 UTC
php-5.2.8 in the tree, has other security improvements as well. Will provide a list tomorrow and add arches then.


Known test failures with USE="-* cgi cli fastbuild suhosin pcre session":

Bug #30707 (Segmentation fault on exception in method) [Zend/tests/bug30707.phpt]
Bug #31177 (Memory leak) [Zend/tests/bug31177.phpt]
Comment 5 Tobias Heinlein (RETIRED) gentoo-dev 2008-12-15 14:06:37 UTC
(In reply to comment #4)
> Will provide a list tomorrow and add arches then.

Tomorrow is over for a few days now :P, any news here?
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2008-12-18 16:33:34 UTC
CVE-2008-5658 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5658):
  Directory traversal vulnerability in the ZipArchive::extractTo
  function in PHP 5.2.6 and earlier allows context-dependent attackers
  to write arbitrary files via a ZIP file with a file whose name
  contains .. (dot dot) sequences.

Comment 7 Christian Hoffmann (RETIRED) gentoo-dev 2008-12-18 23:25:12 UTC
php-5.2.8-r1 which I've just added to the tree has the following security-relevant improvements:

  * This version no longer uses the bundled libpcre, but the system version

  * A more complete fix for the c-client-related vulnerabilitites (was
    CVE-2008-2829; no idea whether the old fix was incomplete (I'd suspect so)
    or whether the new one is just technically better)


Fixes since 5.2.7:
  * mod_php avoided proper logging of HTTP-authed users to Apache logs [1]

  * Certain XML files could crash scripts relying on certain ext/xml
    functionality (DoS w/ FastCGI) [2]

  * Certain functions in ext/mssql could crash PHP with certain DB contents
    (DoS w/ FastCGI) [3]

  * Missing bounds checking in ext/gd's imagerotate() function allowed for
    exposure of memory contents (e.g. SSL private keys) w/ mod_php
    (CVE-2008-5498)

  * Crash in ext/openssl when using get_headers() w/ a specific target server
    configuration (DoS w/ FastCGI)


Fixes since 5.2.6-r7:
  * Fix for ZipArchive::extractTo() Directory Traversal (CVE-2008-5658)

... and more, I'll prepare a more exhaustive list in the next few days hopefully...


Arches, please test and mark stable:
  =dev-lang/php-5.2.8-r1

Target keywords: alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86

[1] http://bugs.php.net/bug.php?id=46005
[2] http://bugs.php.net/bug.php?id=46699
[3] http://bugs.php.net/bug.php?id=46798
[4] http://bugs.php.net/bug.php?id=46748
Comment 8 Tobias Scherbaum (RETIRED) gentoo-dev 2008-12-19 09:32:50 UTC
(In reply to comment #7)
> php-5.2.8-r1 which I've just added to the tree has the following
> security-relevant improvements:
> 
>   * This version no longer uses the bundled libpcre, but the system version

I was thinking about adding a check if libpcre has been built with +unicode as 5.2.8 hit me that way :P - just noticed -r1 already has it :) Thanks!
Comment 9 Brent Baude (RETIRED) gentoo-dev 2008-12-19 16:46:06 UTC
ppc64 done
Comment 10 Markus Meier gentoo-dev 2008-12-20 17:55:02 UTC
amd64/x86 stable
Comment 11 Tobias Scherbaum (RETIRED) gentoo-dev 2008-12-21 22:14:47 UTC
ppc stable
Comment 12 Jeroen Roovers (RETIRED) gentoo-dev 2008-12-22 05:14:28 UTC
Stable for HPPA.
Comment 13 Friedrich Oslage (RETIRED) gentoo-dev 2008-12-23 12:38:19 UTC
sparc stable
Comment 14 Raúl Porcel (RETIRED) gentoo-dev 2008-12-24 18:11:46 UTC
alpha/ia64 stable
Comment 15 Tobias Heinlein (RETIRED) gentoo-dev 2008-12-29 20:13:53 UTC
GLSA request filed.
Comment 16 Stefan Behte (RETIRED) gentoo-dev Security 2009-01-04 16:37:33 UTC
CVE-2008-5624 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5624):
  PHP 5 before 5.2.7 does not properly initialize the page_uid and
  page_gid global variables for use by the SAPI php_getuid function,
  which allows context-dependent attackers to bypass safe_mode
  restrictions via variable settings that are intended to be restricted
  to root, as demonstrated by a setting of /etc for the error_log
  variable.

CVE-2008-5625 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5625):
  PHP 5 before 5.2.7 does not enforce the error_log safe_mode
  restrictions when safe_mode is enabled through a php_admin_flag
  setting in httpd.conf, which allows context-dependent attackers to
  write to arbitrary files by placing a "php_value error_log" entry in
  a .htaccess file.

Comment 17 Stefan Behte (RETIRED) gentoo-dev Security 2009-01-04 16:42:58 UTC
CVE-2008-5557 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5557):
  Heap-based buffer overflow in
  ext/mbstring/libmbfl/filters/mbfilter_htmlent.c in the mbstring
  extension in PHP 4.3.0 through 5.2.6 allows context-dependent
  attackers to execute arbitrary code via a crafted string containing
  an HTML entity, which is not properly handled during Unicode
  conversion, related to the (1) mb_convert_encoding, (2)
  mb_check_encoding, (3) mb_convert_variables, and (4) mb_parse_str
  functions.

Sorry for the bugspam, but we need to document what we did with those bugs...
Comment 18 Stefan Behte (RETIRED) gentoo-dev Security 2009-01-20 00:05:12 UTC
CVE-2008-5814 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5814):
  Cross-site scripting (XSS) vulnerability in PHP, possibly 5.2.7 and
  earlier, when display_errors is enabled, allows remote attackers to
  inject arbitrary web script or HTML via unspecified vectors.  NOTE:
  because of the lack of details, it is unclear whether this is related
  to CVE-2006-0208.

CVE-2008-5844 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5844):
  PHP 5.2.7 contains an incorrect change to the FILTER_UNSAFE_RAW
  functionality, and unintentionally disables magic_quotes_gpc
  regardless of the actual magic_quotes_gpc setting, which might make
  it easier for context-dependent attackers to conduct SQL injection
  attacks and unspecified other attacks.

Comment 19 Raúl Porcel (RETIRED) gentoo-dev 2009-04-06 17:13:23 UTC
arm/s390/sh stable
Comment 20 Tobias Heinlein (RETIRED) gentoo-dev 2010-01-05 21:12:55 UTC
GLSA 201001-03.

Thank you everyone, sorry about the delay.