Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 285434 (CVE-2009-3291) - <dev-lang/php-5.2.11: multiple vulnerabilities (CVE-2009-{3291,3292,3293})
Summary: <dev-lang/php-5.2.11: multiple vulnerabilities (CVE-2009-{3291,3292,3293})
Alias: CVE-2009-3291
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B1? [glsa]
: 286359 (view as bug list)
Depends on: 276583
Blocks: 278064
  Show dependency tree
Reported: 2009-09-18 11:38 UTC by Bernd Marienfeldt
Modified: 2010-01-05 21:14 UTC (History)
8 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Bernd Marienfeldt 2009-09-18 11:38:14 UTC
Security Enhancements and Fixes in PHP 5.2.11:

    * Fixed certificate validation inside php_openssl_apply_verification_policy. (Ryan Sleevi, Ilia)
    * Fixed sanity check for the color index in imagecolortransparent(). (Pierre)
    * Added missing sanity checks around exif processing. (Ilia)
    * Fixed bug #44683 (popen crashes when an invalid mode is passed). (Pierre)


Reproducible: Always
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-09-23 15:36:53 UTC
CVE-2009-3291 (
  The php_openssl_apply_verification_policy function in PHP before
  5.2.11 does not properly perform certificate validation, which has
  unknown impact and attack vectors, probably related to an ability to
  spoof certificates.

CVE-2009-3292 (
  Unspecified vulnerability in PHP before 5.2.11 has unknown impact and
  attack vectors related to "missing sanity checks around exif

CVE-2009-3293 (
  Unspecified vulnerability in the imagecolortransparent function in
  PHP before 5.2.11 has unknown impact and attack vectors related to an
  incorrect "sanity check for the color index."

Comment 2 Bernd Marienfeldt 2009-09-24 11:29:38 UTC
Any updates on this ?

When will dev-lang/php PHP 5.2.11 be available through portage ?
Comment 3 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-09-25 07:01:15 UTC
*** Bug 286359 has been marked as a duplicate of this bug. ***
Comment 4 Christian Hoffmann (RETIRED) gentoo-dev 2009-09-29 16:41:38 UTC
(In reply to comment #2)
> When will dev-lang/php PHP 5.2.11 be available through portage ?
Approx. after your next sync :)

Please give it a day or two for testing before requesting stabilization.

Not sure about B1, it isn't clear to me whether code execution is possible or not, but apparently mitre had the same problem when assigning the CVEs ;)
Comment 5 Christian Hoffmann (RETIRED) gentoo-dev 2009-10-05 20:32:31 UTC
Arches, please test and mark stable:
Target keywords: "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 6 Christian Hoffmann (RETIRED) gentoo-dev 2009-10-05 20:38:36 UTC
Well, have been away for too long.. actually CC'ing arches.

While doing a basic php functionality test anyway, you might want to stabilize suhosin per bug 276583 in the same go.
Comment 7 Christian Faulhammer (RETIRED) gentoo-dev 2009-10-06 22:40:55 UTC
x86 stable
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2009-10-07 04:59:20 UTC
Stable for HPPA.
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2009-10-07 16:00:33 UTC
alpha/arm/ia64/s390/sh/sparc stable
Comment 10 Tony Vroon (RETIRED) gentoo-dev 2009-10-07 16:23:36 UTC
+  07 Oct 2009; <> php-5.2.11.ebuild:
+  Marked stable on AMD64 as requested by Bernd Marienfeldt in security bug
+  #285434. Tested with USE="apache2 berkdb bzip2 calendar cgi cli crypt
+  ctype curl gd iconv imap ipv6 mhash mysql ncurses nls pcre pic posix
+  readline session snmp spl ssl threads tokenizer truetype unicode xml
+  xmlrpc zlib" serving on hardened AMD64 non-multilib system.
Comment 11 Brent Baude (RETIRED) gentoo-dev 2009-10-18 14:36:45 UTC
ppc64 done
Comment 12 Mounir Lamouri (volkmar) (RETIRED) gentoo-dev 2009-10-19 09:13:33 UTC
ppc stable
It was the last arch so the bug is ready to be fixed by security team.
Comment 13 Tobias Heinlein (RETIRED) gentoo-dev 2009-11-06 09:31:29 UTC
GLSA together with bug 260576, bug 266125, and bug 255121.
Comment 14 Tobias Heinlein (RETIRED) gentoo-dev 2010-01-05 21:14:06 UTC
GLSA 201001-03.

Thank you everyone, sorry about the delay.