Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 74547 - Multiple Vulnerabilities in PHP (CAN-2004-1018, CAN-2004-1019, CAN-2004-1063, CAN-2004-1064)
Summary: Multiple Vulnerabilities in PHP (CAN-2004-1018, CAN-2004-1019, CAN-2004-1063,...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High critical (vote)
Assignee: Gentoo Security
URL: http://www.hardened-php.net/advisorie...
Whiteboard: A1 [glsa] jaervosz
Keywords:
: 74600 (view as bug list)
Depends on: 74627
Blocks:
  Show dependency tree
 
Reported: 2004-12-15 13:11 UTC by Hanno Böck
Modified: 2007-06-24 23:32 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
build log (php-cgi-4.3.10-sparc-build.log,21.01 KB, text/plain)
2004-12-16 04:32 UTC, Christian Birchinger (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2004-12-15 13:11:10 UTC
Stefan Esser has discovered various serious security issues in php (see link).
Updates to 4.3.10 and 5.0.3 with fixes are available.
Comment 1 Hanno Böck gentoo-dev 2004-12-15 14:06:58 UTC
After a quick test, it seems that just copying the php-5.0.2-r1.ebuild and mod_php-5.0.2.ebuild to 5.0.3 works.
Comment 2 Rajiv Aaron Manglani (RETIRED) gentoo-dev 2004-12-15 15:26:16 UTC

*** This bug has been marked as a duplicate of 72735 ***
Comment 3 Sune Kloppenborg Jeppesen gentoo-dev 2004-12-15 22:55:17 UTC
Reopening to handle stable marking. 
Comment 4 Sune Kloppenborg Jeppesen gentoo-dev 2004-12-15 22:58:55 UTC
Arches please mark 4.3.10 stable.

Comment 5 Jochen Maes (RETIRED) gentoo-dev 2004-12-16 00:24:17 UTC
stable on ppc
Comment 6 Sune Kloppenborg Jeppesen gentoo-dev 2004-12-16 01:28:42 UTC
*** Bug 74600 has been marked as a duplicate of this bug. ***
Comment 7 Markus Rothe (RETIRED) gentoo-dev 2004-12-16 02:19:17 UTC
stable on ppc64
Comment 8 Dylan Carlson (RETIRED) gentoo-dev 2004-12-16 02:40:10 UTC
stable on amd64.
Comment 9 Stuart Herbert (RETIRED) gentoo-dev 2004-12-16 02:46:16 UTC
Please make sure that you test & mark the following packages:

* dev-php/php-4.3.10
* dev-php/mod_php-4.3.10
* dev-php/php-cgi-4.3.10

PHP 5.0.2 wasn't marked stable, so we don't need (and shouldn't be!) marking PHP-5.0.3 as stable.

Best regards,
Stu
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2004-12-16 03:23:36 UTC
There are more fixed than just what was reported in Stefan's advisory :
See http://www.php.net/release_4_3_10.php

---------------------
CAN-2004-1018 - shmop_write() out of bounds memory write access.
CAN-2004-1018 - integer overflow/underflow in pack() and unpack() functions.
CAN-2004-1019 - possible information disclosure, double free and negative reference index array underflow in deserialization code.
CAN-2004-1020 - addslashes() not escaping \0 correctly.
CAN-2004-1063 - safe_mode execution directory bypass.
CAN-2004-1064 - arbitrary file access through path truncation.
CAN-2004-1065 - exif_read_data() overflow on long sectionname.
magic_quotes_gpc could lead to one level directory traversal with file uploads.
---------------------
Comment 11 Christian Birchinger (RETIRED) gentoo-dev 2004-12-16 04:32:17 UTC
Created attachment 46114 [details]
build log

4.3.10 doesn't build on my sparc
Comment 12 Gustavo Zacarias (RETIRED) gentoo-dev 2004-12-16 05:53:22 UTC
I'm getting the same (broken) results as Joker for my ultra.
Comment 13 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2004-12-16 06:11:17 UTC
Could you please trace the errors in the zend .c file that is referenced in your errors there.
Comment 14 Christian Gut 2004-12-16 08:17:12 UTC
(php|php-cgi)-4.3.10 built on two i386 machines FYI

Just had to fiddle with java and LDPATHs
Comment 15 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2004-12-16 10:31:15 UTC
Sparc: please see bug #74627 
I don't know why it didn't catch PPC.
Comment 16 Gustavo Zacarias (RETIRED) gentoo-dev 2004-12-16 10:41:48 UTC
Probably because ppc is including stdint.h, linux/types.h or bits/types.h somewhere else which sparc isn't.
I'm currently building fixed ebuilds for sparc, be back soon.
Comment 17 Gustavo Zacarias (RETIRED) gentoo-dev 2004-12-16 18:36:30 UTC
php-4.3.10, mod_php-4.3.10 & php-cgi-4.3.10 sparc stable with the fix. It's just applied for sparc since i won't have access to a ppc box until tomorrow and it seems it's required and/or could break them.
BTW, ppc forgot about php-cgi.
Comment 18 Bryan Østergaard (RETIRED) gentoo-dev 2004-12-17 02:47:56 UTC
Alpha stable.
Comment 19 Sune Kloppenborg Jeppesen gentoo-dev 2004-12-18 03:13:14 UTC
SeJo you forget to mark mod_php stable. See comment #9
Comment 20 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2004-12-18 04:23:12 UTC
ppc done.
Comment 21 Sune Kloppenborg Jeppesen gentoo-dev 2004-12-18 04:46:50 UTC
Thx Micheal, please remember to remove CC:-)
Comment 22 Thierry Carrez (RETIRED) gentoo-dev 2004-12-19 06:01:23 UTC
GLSA 200412-14
hppa, ia64, mips, s390 : please mark stable to benefit from GLSA.
Comment 23 Hardave Riar (RETIRED) gentoo-dev 2005-02-21 13:37:26 UTC
Mips Stable.
Comment 24 René Nussbaumer (RETIRED) gentoo-dev 2005-06-26 05:12:58 UTC
Already stable on hppa