Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 380261 (CVE-2011-3189) - =dev-lang/php-5.3.7: crypt() returns only the salt for MD5 (CVE-2011-3189)
Summary: =dev-lang/php-5.3.7: crypt() returns only the salt for MD5 (CVE-2011-3189)
Status: RESOLVED FIXED
Alias: CVE-2011-3189
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/45678/
Whiteboard: A3 [glsa]
Keywords:
Depends on: CVE-2011-2202
Blocks:
  Show dependency tree
 
Reported: 2011-08-22 17:50 UTC by Agostino Sarubbo
Modified: 2011-10-10 21:40 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2011-08-22 17:50:19 UTC
From secunia security advisory at $URL:

Description:
A security issue has been reported in PHP, which can be exploited by malicious people to bypass certain security restrictions.

The security issue is caused due to the "crypt()" function only returning the salt when generating salted MD5 hashes and may render e.g. authentication mechanisms relying on the correctness of the "crypt()" function ineffective.

The security issue is reported in version 5.3.7.


Original Advisory:
http://www.php.net/archive/2011.php#id2011-08-22-1
https://bugs.php.net/bug.php?id=55439
Comment 1 Agostino Sarubbo gentoo-dev 2011-08-22 17:55:38 UTC
The fix is in their svn repo.
Comment 2 Ole Markus With (RETIRED) gentoo-dev 2011-08-22 18:00:08 UTC
A new release from PHP is expected tomorrow, so I expect to have an ebuild by wednesday.
Comment 3 Agostino Sarubbo gentoo-dev 2011-08-24 12:50:40 UTC
http://www.php.net/archive/2011.php#id2011-08-23-1
Comment 4 Ole Markus With (RETIRED) gentoo-dev 2011-08-24 14:44:42 UTC
Please see bug #376735
Comment 5 Ole Markus With (RETIRED) gentoo-dev 2011-08-24 14:45:55 UTC
Sorry, that should have been bug #372745
Comment 6 Agostino Sarubbo gentoo-dev 2011-08-24 15:04:24 UTC
adding bug 372745 as a depend as Tim suggest.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2011-09-02 10:58:03 UTC
CVE-2011-3189 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3189):
  The crypt function in PHP 5.3.7, when the MD5 hash type is used, returns the
  value of the salt argument instead of the hashed string, which might allow
  remote attackers to bypass authentication via an arbitrary password, a
  different vulnerability than CVE-2011-2483.
Comment 8 Tobias Heinlein (RETIRED) gentoo-dev 2011-10-08 21:45:02 UTC
Fixed in 5.3.8, which is already stable by now. 5.3.7 wasn't stable, but nevertheless added to the GLSA draft now.
Comment 9 Tobias Heinlein (RETIRED) gentoo-dev 2011-10-10 21:40:46 UTC
This issue was resolved and addressed in
 GLSA 201110-06 at http://security.gentoo.org/glsa/glsa-201110-06.xml
by GLSA coordinator Tobias Heinlein (keytoaster).