Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 410957 (CVE-2012-1172) - <dev-lang/php-5.3.13: Corrupted $_FILES indices lead to security concern (CVE-2012-1172)
Summary: <dev-lang/php-5.3.13: Corrupted $_FILES indices lead to security concern (CVE...
Status: RESOLVED FIXED
Alias: CVE-2012-1172
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugs.php.net/bug.php?id=55500
Whiteboard: A3 [glsa]
Keywords:
Depends on: 413785 CVE-2012-1823
Blocks:
  Show dependency tree
 
Reported: 2012-04-05 21:08 UTC by Tim Sammut (RETIRED)
Modified: 2012-09-24 00:27 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2012-04-05 21:08:05 UTC
A security concern has been fixed in PHP 5.4.0 according to the changelog at [1]. The upstream bug at $URL is currently private.

[1] http://www.php.net/ChangeLog-5.php#5.4.0
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2012-04-05 21:09:01 UTC
It looks like this issue was reported in version 5.3.8 according to what information I can see in the upstream bug header.
Comment 2 Ole Markus With (RETIRED) gentoo-dev 2012-04-06 09:51:51 UTC
Fixed in 5.4.0

For 5.3, it has been committed to 5.3 HEAD [1], but no release yet. Upstream release is on its way though.

[1] http://git.php.net/?p=php-src.git;a=commit;h=95dcd799fb6fdccbc60d3bba3cd759f6b421ee69
Comment 3 Ole Markus With (RETIRED) gentoo-dev 2012-04-26 13:51:43 UTC
(In reply to comment #2)

> For 5.3, it has been committed to 5.3 HEAD [1], but no release yet. Upstream
> release is on its way though.

5.3.11 has been released and may be stabilised.
Comment 4 Sean Amoss gentoo-dev Security 2012-04-27 23:43:57 UTC
(In reply to comment #3)
> 5.3.11 has been released and may be stabilised.

Thank you.

Arches, please test and mark stable:
=dev-lang/php-5.3.11
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 5 Andreas Schürch gentoo-dev 2012-04-29 17:40:18 UTC
x86 stable, thanks.
Comment 6 Agostino Sarubbo gentoo-dev 2012-04-30 12:39:01 UTC
amd64 stable
Comment 7 Jeroen Roovers gentoo-dev 2012-05-01 04:33:17 UTC
Stable for HPPA.
Comment 8 Markus Meier gentoo-dev 2012-05-03 20:28:19 UTC
arm stable
Comment 9 Tim Sammut (RETIRED) gentoo-dev 2012-05-04 04:06:21 UTC
Removing arches as we need to work in 414553 instead.
Comment 10 Tim Sammut (RETIRED) gentoo-dev 2012-05-23 02:51:50 UTC
Thanks, everyone. Added to existing GLSA request.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2012-06-15 19:50:20 UTC
CVE-2012-1172 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1172):
  The file-upload implementation in rfc1867.c in PHP before 5.4.0 does not
  properly handle invalid [ (open square bracket) characters in name values,
  which makes it easier for remote attackers to cause a denial of service
  (malformed $_FILES indexes) or conduct directory traversal attacks during
  multi-file uploads by leveraging a script that lacks its own filename
  restrictions.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2012-09-24 00:27:43 UTC
This issue was resolved and addressed in
 GLSA 201209-03 at http://security.gentoo.org/glsa/glsa-201209-03.xml
by GLSA coordinator Sean Amoss (ackle).