<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> <glsa id="200811-05"> <title>PHP: Multiple vulnerabilities</title> <synopsis> PHP contains several vulnerabilities including buffer and integer overflows which could lead to the remote execution of arbitrary code. </synopsis> <product type="ebuild">php</product> <announced>2008-11-16</announced> <revised count="01">2008-11-16</revised> <bug>209148</bug> <bug>212211</bug> <bug>215266</bug> <bug>228369</bug> <bug>230575</bug> <bug>234102</bug> <access>remote</access> <affected> <package name="dev-lang/php" auto="yes" arch="*"> <unaffected range="ge">5.2.6-r6</unaffected> <vulnerable range="lt">5.2.6-r6</vulnerable> </package> </affected> <background> <p> PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. </p> </background> <description> <p> Several vulnerabilitites were found in PHP: </p> <ul> <li>PHP ships a vulnerable version of the PCRE library which allows for the circumvention of security restrictions or even for remote code execution in case of an application which accepts user-supplied regular expressions (CVE-2008-0674).</li> <li>Multiple crash issues in several PHP functions have been discovered.</li> <li>Ryan Permeh reported that the init_request_info() function in sapi/cgi/cgi_main.c does not properly consider operator precedence when calculating the length of PATH_TRANSLATED (CVE-2008-0599).</li> <li>An off-by-one error in the metaphone() function may lead to memory corruption.</li> <li>Maksymilian Arciemowicz of SecurityReason Research reported an integer overflow, which is triggerable using printf() and related functions (CVE-2008-1384).</li> <li>Andrei Nigmatulin reported a stack-based buffer overflow in the FastCGI SAPI, which has unknown attack vectors (CVE-2008-2050).</li> <li>Stefan Esser reported that PHP does not correctly handle multibyte characters inside the escapeshellcmd() function, which is used to sanitize user input before its usage in shell commands (CVE-2008-2051).</li> <li>Stefan Esser reported that a short-coming in PHP's algorithm of seeding the random number generator might allow for predictible random numbers (CVE-2008-2107, CVE-2008-2108).</li> <li>The IMAP extension in PHP uses obsolete c-client API calls making it vulnerable to buffer overflows as no bounds checking can be done (CVE-2008-2829).</li> <li>Tavis Ormandy reported a heap-based buffer overflow in pcre_compile.c in the PCRE version shipped by PHP when processing user-supplied regular expressions (CVE-2008-2371).</li> <li>CzechSec reported that specially crafted font files can lead to an overflow in the imageloadfont() function in ext/gd/gd.c, which is part of the GD extension (CVE-2008-3658).</li> <li>Maksymilian Arciemowicz of SecurityReason Research reported that a design error in PHP's stream wrappers allows to circumvent safe_mode checks in several filesystem-related PHP functions (CVE-2008-2665, CVE-2008-2666).</li> <li>Laurent Gaffie discovered a buffer overflow in the internal memnstr() function, which is used by the PHP function explode() (CVE-2008-3659).</li> <li>An error in the FastCGI SAPI when processing a request with multiple dots preceding the extension (CVE-2008-3660).</li> </ul> </description> <impact type="normal"> <p> These vulnerabilities might allow a remote attacker to execute arbitrary code, to cause a Denial of Service, to circumvent security restrictions, to disclose information, and to manipulate files. </p> </impact> <workaround> <p> There is no known workaround at this time. </p> </workaround> <resolution> <p> All PHP users should upgrade to the latest version: </p> <code> # emerge --sync # emerge --ask --oneshot --verbose ">=dev-lang/php-5.2.6-r6"</code> </resolution> <references> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0599">CVE-2008-0599</uri> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0674">CVE-2008-0674</uri> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1384">CVE-2008-1384</uri> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2050">CVE-2008-2050</uri> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2051">CVE-2008-2051</uri> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2107">CVE-2008-2107</uri> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2108">CVE-2008-2108</uri> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2371">CVE-2008-2371</uri> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2665">CVE-2008-2665</uri> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2666">CVE-2008-2666</uri> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2829">CVE-2008-2829</uri> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3658">CVE-2008-3658</uri> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3659">CVE-2008-3659</uri> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3660">CVE-2008-3660</uri> </references> <metadata tag="requester" timestamp="2008-03-17T01:12:26Z"> rbu </metadata> <metadata tag="submitter" timestamp="2008-11-10T18:29:08Z"> keytoaster </metadata> <metadata tag="bugReady" timestamp="2008-11-16T16:06:26Z"> keytoaster </metadata> </glsa>