From the upstream bug at $URL: OVERVIEW PHP-CGI-based setups contain a vulnerability when parsing query string parameters from php files. DESCRIPTION According to PHP's website, "PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML." When PHP is used in a CGI-based setup (such as Apache's mod_cgid), the php-cgi receives a processed query string parameter as command line arguments which allows command-line switches, such as -s, -d or -c to be passed to the php-cgi binary, which can be exploited to disclose source code and obtain arbitrary code execution. An example of the -s command, allowing an attacker to view the source code of index.php is below: http://localhost/index.php?-s IMPACT A remote unauthenticated attacker could obtain sensitive information, cause a denial of service condition or may be able to execute arbitrary code with the privileges of the web server. This is fixed in PHP 5.3.12 and PHP 5.4.2. @php, can we stabilize 5.3.12 now?
acked via IRC. Arches, please test and mark stable: =dev-lang/php-5.3.12 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
(In reply to comment #1) > acked via IRC. > > Arches, please test and mark stable: > =dev-lang/php-5.3.12 > Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86" As far as I know, the issue has not been fixed in any PHP version yet. Please refear to the original advisory[1] for updates on the subject. [1]: http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
Thanks, Marco. Alright, the upstream fix is reportedly incomplete. CVE-2012-2311 has been assigned for the incomplete fix. Removing arches. Red Hat bug is at https://bugzilla.redhat.com/show_bug.cgi?id=818907; I do not see an new upstream bug.
FYI: http://www.php.net/index.php#id2012-05-06-1 Will bump as soon as I spot the updates.
5.3.13 in CVS now.
Great, thank you. Arches, please test and mark stable: =dev-lang/php-5.3.13 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
amd64 done
x86 stable
Stable for HPPA.
ppc64 done
Stable on alpha.
arm stable
ia64/s390/sh/sparc stable
CVE-2012-2336 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2336): sapi/cgi/cgi_main.c in PHP before 5.3.13 and 5.4.x before 5.4.3, when configured as a CGI script (aka php-cgi), does not properly handle query strings that lack an = (equals sign) character, which allows remote attackers to cause a denial of service (resource consumption) by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'T' case. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1823. CVE-2012-2335 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2335): php-wrapper.fcgi does not properly handle command-line arguments, which allows remote attackers to bypass a protection mechanism in PHP 5.3.12 and 5.4.2 and execute arbitrary code by leveraging improper interaction between the PHP sapi/cgi/cgi_main.c component and a query string beginning with a +- sequence. CVE-2012-2311 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2311): sapi/cgi/cgi_main.c in PHP before 5.3.13 and 5.4.x before 5.4.3, when configured as a CGI script (aka php-cgi), does not properly handle query strings that contain a %3D sequence but no = (equals sign) character, which allows remote attackers to execute arbitrary code by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'd' case. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1823. CVE-2012-1823 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1823): sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not properly handle query strings that lack an = (equals sign) character, which allows remote attackers to execute arbitrary code by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'd' case.
ppc done
Thanks, everyone. Added to existing GLSA request.
CVE-2011-1398 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1398): The sapi_header_op function in main/SAPI.c in PHP before 5.3.11 does not properly handle %0D sequences (aka carriage return characters), which allows remote attackers to bypass an HTTP response-splitting protection mechanism via a crafted URL, related to improper interaction between the PHP header function and certain browsers, as demonstrated by Internet Explorer and Google Chrome.
This issue was resolved and addressed in GLSA 201209-03 at http://security.gentoo.org/glsa/glsa-201209-03.xml by GLSA coordinator Sean Amoss (ackle).
