Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 372745 (CVE-2011-2202) - <dev-lang/php-5.3.7: multiple vulnerabilities (CVE-2011-{2202,2483,3182,3267,3268})
Summary: <dev-lang/php-5.3.7: multiple vulnerabilities (CVE-2011-{2202,2483,3182,3267,...
Status: RESOLVED FIXED
Alias: CVE-2011-2202
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major with 1 vote (vote)
Assignee: Gentoo Security
URL: http://www.php.net/archive/2011.php#i...
Whiteboard: A2 [glsa]
Keywords:
Depends on: 380513
Blocks: CVE-2011-3189
  Show dependency tree
 
Reported: 2011-06-24 00:51 UTC by GLSAMaker/CVETool Bot
Modified: 2011-10-10 20:45 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2011-06-24 00:51:06 UTC
CVE-2011-2202 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2202):
  The rfc1867_post_handler function in main/rfc1867.c in PHP before 5.3.7 does
  not properly restrict filenames in multipart/form-data POST requests, which
  allows remote attackers to conduct absolute path traversal attacks, and
  possibly create or overwrite arbitrary files, via a crafted upload request,
  related to a "file path injection vulnerability."
Comment 1 Hanno Böck gentoo-dev 2011-08-18 14:34:02 UTC
5.3.7 fixes a whole number of security issues. Also interesting: Seems we can get suhosin back for 5.3.7:
http://twitter.com/#!/i0n1c/status/104194056384552960
Comment 2 Ole Markus With (RETIRED) gentoo-dev 2011-08-20 13:31:05 UTC
(In reply to comment #1)
> 5.3.7 fixes a whole number of security issues. Also interesting: Seems we can
> get suhosin back for 5.3.7:
> http://twitter.com/#!/i0n1c/status/104194056384552960

Yep. An update to the suhosin patch was released.
I am not going to release 5.3.7 because of the crypt() breakage, but rather wait for 5.3.7pl1, 5.3.8 or whatever they end up calling it. I expect it should be released shortly.
Comment 3 Ole Markus With (RETIRED) gentoo-dev 2011-08-24 08:51:48 UTC
5.3.8 is released and can be stabilised.
You also need to stabilise dev-db/sqlite-3.7.7.1

Also note related bug 38026.

This version includes suhosin, which may make some security people happy.
Comment 4 Tim Sammut (RETIRED) gentoo-dev 2011-08-24 14:57:51 UTC
(In reply to comment #3)
> 5.3.8 is released and can be stabilised.
> You also need to stabilise dev-db/sqlite-3.7.7.1
> 
> Also note related bug 38026.
> 
> This version includes suhosin, which may make some security people happy.

Great, thank you.

Arches, please test and mark stable:
=dev-lang/php-5.3.8
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2011-08-24 15:07:13 UTC
Sorry for the bugspam. The correct target list is:

Arches, please test and mark stable:
=dev-lang/php-5.3.8
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"

=dev-db/sqlite-3.7.7.1
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"

Thanks, ago, for keeping me honest.
Comment 6 Jeroen Roovers gentoo-dev 2011-08-25 03:19:00 UTC
(In reply to comment #3)
> Also note related bug 38026.

Probably not the bug you wanted to mention.
Comment 7 Ole Markus With (RETIRED) gentoo-dev 2011-08-25 07:59:29 UTC
(In reply to comment #6)
> (In reply to comment #3)
> > Also note related bug 38026.
> 
> Probably not the bug you wanted to mention.

Quite. Seems like I missed a bit. I was aiming for bug 380261.

Sorry about that.
Comment 8 Jeroen Roovers gentoo-dev 2011-08-25 11:51:54 UTC
Stable for HPPA.
Comment 9 Agostino Sarubbo gentoo-dev 2011-08-25 17:26:17 UTC
amd64 ok
Comment 10 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-08-25 17:37:50 UTC
ppc/ppc64 stable
Comment 11 Thomas Kahle (RETIRED) gentoo-dev 2011-08-26 06:54:31 UTC
x86 done. Thanks
Comment 12 Markos Chandras (RETIRED) gentoo-dev 2011-08-26 13:53:28 UTC
amd64 done. Thanks Agostino
Comment 13 Markus Meier gentoo-dev 2011-08-28 13:39:13 UTC
arm stable
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2011-09-02 11:03:43 UTC
CVE-2011-3268 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3268):
  Buffer overflow in the crypt function in PHP before 5.3.7 allows
  context-dependent attackers to have an unspecified impact via a long salt
  argument, a different vulnerability than CVE-2011-2483.

CVE-2011-3267 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3267):
  PHP before 5.3.7 does not properly implement the error_log function, which
  allows context-dependent attackers to cause a denial of service (application
  crash) via unspecified vectors.

CVE-2011-3182 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3182):
  PHP before 5.3.7 does not properly check the return values of the malloc,
  calloc, and realloc library functions, which allows context-dependent
  attackers to cause a denial of service (NULL pointer dereference and
  application crash) or trigger a buffer overflow by leveraging the ability to
  provide an arbitrary value for a function argument, related to (1)
  ext/curl/interface.c, (2) ext/date/lib/parse_date.c, (3)
  ext/date/lib/parse_iso_intervals.c, (4) ext/date/lib/parse_tz.c, (5)
  ext/date/lib/timelib.c, (6) ext/pdo_odbc/pdo_odbc.c, (7)
  ext/reflection/php_reflection.c, (8) ext/soap/php_sdl.c, (9)
  ext/xmlrpc/libxmlrpc/base64.c, (10) TSRM/tsrm_win32.c, and (11) the
  strtotime function.
Comment 15 Raúl Porcel (RETIRED) gentoo-dev 2011-09-03 17:20:35 UTC
alpha/ia64/s390/sh/sparc stable
Comment 16 Agostino Sarubbo gentoo-dev 2011-09-13 22:14:28 UTC
All arches done, Please add glsa request.
Comment 17 Tim Sammut (RETIRED) gentoo-dev 2011-09-19 18:57:14 UTC
Thanks, folks. Added to existing GLSA request.
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2011-10-09 00:06:23 UTC
CVE-2011-2483 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2483):
  crypt_blowfish before 1.1, as used in PHP before 5.3.7 on certain platforms,
  does not properly handle 8-bit characters, which makes it easier for
  context-dependent attackers to determine a cleartext password by leveraging
  knowledge of a password hash.
Comment 19 Tobias Heinlein (RETIRED) gentoo-dev 2011-10-10 20:45:28 UTC
This issue was resolved and addressed in
 GLSA 201110-06 at http://security.gentoo.org/glsa/glsa-201110-06.xml
by GLSA coordinator Tobias Heinlein (keytoaster).