PHP 5.3.7 changed how the is_a() function worked, and as a result it could allow for remote arbitrary code execution if certain specific conditions are met (the blog post referenced below has a good writeup of the flaw).
The upstream bug at $URL contains a patch.
The is_a function in PHP 5.3.7 and 5.3.8 triggers a call to the __autoload
function, which makes it easier for remote attackers to execute arbitrary
code by providing a crafted URL and leveraging potentially unsafe behavior
in certain PEAR packages and custom autoloaders.
The patch is at $URL, please bump it
Sorry for taking so long commenting on this.
Some comments from Matti and I:
Firstly, the attack vector for this exploit is somewhat theoretical as it requires the programmer to write multiple sets of bad user land code, i.e installing this package in itself does not compromise your system.
Secondly, PHP will release a version expected by the end of the next week which reverts the is_a behaviour. Not because of the related security issue, but because it breaks certain PEAR packages in ours and Ubuntu's tree. The bug mentions that current behaviour will be kept in 5.4 tho, but I did not check if this is really the case and upstream have not added any documentation about this in their reference.
5.3.9 containing the revert of is_a behaviour has been released.
"Fixed bug #55475 (is_a() triggers autoloader, new optional 3rd argument to
is_a and is_subclass_of). (alan_k)"
(In reply to comment #4)
> 5.3.9 containing the revert of is_a behaviour has been released.
Shall we move forward to stabilization now via this bug? Tnx!
I even got suhosin into this release (thanks to Hanno), so all good from my side.
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Stable for HPPA.
Filed new glsa request
This issue was resolved and addressed in
GLSA 201209-03 at http://security.gentoo.org/glsa/glsa-201209-03.xml
by GLSA coordinator Sean Amoss (ackle).