PDA

View Full Version : USN-628-1: PHP vulnerabilities



rss-bot
July 23rd, 2008, 08:40 PM
Referenced CVEs:
CVE-2007-4782, CVE-2007-4850, CVE-2007-5898, CVE-2007-5899, CVE-2008-0599, CVE-2008-1384, CVE-2008-2050, CVE-2008-2051, CVE-2008-2107, CVE-2008-2108, CVE-2008-2371, CVE-2008-2829


Description:
================================================== ========= Ubuntu Security Notice USN-628-1 July 23, 2008 php5 vulnerabilities CVE-2007-4782, CVE-2007-4850, CVE-2007-5898, CVE-2007-5899, CVE-2008-0599, CVE-2008-1384, CVE-2008-2050, CVE-2008-2051, CVE-2008-2107, CVE-2008-2108, CVE-2008-2371, CVE-2008-2829 ================================================== ========= A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 7.04 Ubuntu 7.10 Ubuntu 8.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: libapache2-mod-php5 5.1.2-1ubuntu3.12 php5-cgi 5.1.2-1ubuntu3.12 php5-cli 5.1.2-1ubuntu3.12 php5-curl 5.1.2-1ubuntu3.12 Ubuntu 7.04: libapache2-mod-php5 5.2.1-0ubuntu1.6 php5-cgi 5.2.1-0ubuntu1.6 php5-cli 5.2.1-0ubuntu1.6 php5-curl 5.2.1-0ubuntu1.6 Ubuntu 7.10: libapache2-mod-php5 5.2.3-1ubuntu6.4 php5-cgi 5.2.3-1ubuntu6.4 php5-cli 5.2.3-1ubuntu6.4 php5-curl 5.2.3-1ubuntu6.4 Ubuntu 8.04 LTS: libapache2-mod-php5 5.2.4-2ubuntu5.3 php5-cgi 5.2.4-2ubuntu5.3 php5-cli 5.2.4-2ubuntu5.3 php5-curl 5.2.4-2ubuntu5.3 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: It was discovered that PHP did not properly check the length of the string parameter to the fnmatch function. An attacker could cause a denial of service in the PHP interpreter if a script passed untrusted input to the fnmatch function. (CVE-2007-4782) Maksymilian Arciemowicz discovered a flaw in the cURL library that allowed safe_mode and open_basedir restrictions to be bypassed. If a PHP application were tricked into processing a bad file:// request, an attacker could read arbitrary files. (CVE-2007-4850) Rasmus Lerdorf discovered that the htmlentities and htmlspecialchars functions did not correctly stop when handling partial multibyte sequences. A remote attacker could exploit this to read certain areas of memory, possibly gaining access to sensitive information. This issue affects Ubuntu 8.04 LTS, and an updated fix is included for Ubuntu 6.06 LTS, 7.04 and 7.10. (CVE-2007-5898) It was discovered that the output_add_rewrite_var function would sometimes leak session id information to forms targeting remote URLs. Malicious remote sites could use this information to gain access to a PHP application user's login credentials. This issue only affects Ubuntu 8.04 LTS. (CVE-2007-5899) It was discovered that PHP did not properly calculate the length of PATH_TRANSLATED. If a PHP application were tricked into processing a malicious URI, and attacker may be able to execute arbitrary code with application privileges. (CVE-2008-0599) An integer overflow was discovered in the php_sprintf_appendstring function. Attackers could exploit this to cause a denial of service. (CVE-2008-1384) Andrei Nigmatulin discovered stack-based overflows in the FastCGI SAPI of PHP. An attacker may be able to leverage this issue to perform attacks against PHP applications. (CVE-2008-2050) It was discovered that the escapeshellcmd did not properly process multibyte characters. An attacker may be able to bypass quoting restrictions and possibly execute arbitrary code with application privileges. (CVE-2008-2051) It was discovered that the GENERATE_SEED macro produced a predictable seed under certain circumstances. Attackers may by able to easily predict the results of the rand and mt_rand functions. (CVE-2008-2107, CVE-2008-2108) Tavis Ormandy discovered that the PCRE library did not correctly handle certain in-pattern options. An attacker could cause PHP applications using pcre to crash, leading to a denial of service. USN-624-1 fixed vulnerabilities in the pcre3 library. This update provides the corresponding update for PHP. (CVE-2008-2371) It was discovered that php_imap used obsolete API calls. If a PHP application were tricked into processing a malicious IMAP request, an attacker could cause a denial of service or possibly execute code with application privileges. (CVE-2008-2829)





More... (http://www.ubuntu.com/usn/usn-628-1)