<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> <glsa id="201001-03"> <title>PHP: Multiple vulnerabilities</title> <synopsis> Multiple vulnerabilities were found in PHP, the worst of which leading to the remote execution of arbitrary code. </synopsis> <product type="ebuild">php</product> <announced>2010-01-05</announced> <revised count="01">2010-01-05</revised> <bug>249875</bug> <bug>255121</bug> <bug>260576</bug> <bug>261192</bug> <bug>266125</bug> <bug>274670</bug> <bug>280602</bug> <bug>285434</bug> <bug>292132</bug> <bug>293888</bug> <bug>297369</bug> <bug>297370</bug> <access>local remote</access> <affected> <package name="dev-lang/php" auto="yes" arch="*"> <unaffected range="ge">5.2.12</unaffected> <vulnerable range="lt">5.2.12</vulnerable> </package> </affected> <background> <p> PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. </p> </background> <description> <p> Multiple vulnerabilities have been discovered in PHP. Please review the CVE identifiers referenced below and the associated PHP release notes for details. </p> </description> <impact type="high"> <p> A context-dependent attacker could execute arbitrary code via a specially crafted string containing an HTML entity when the mbstring extension is enabled. Furthermore a remote attacker could execute arbitrary code via a specially crafted GD graphics file. </p> <p> A remote attacker could also cause a Denial of Service via a malformed string passed to the json_decode() function, via a specially crafted ZIP file passed to the php_zip_make_relative_path() function, via a malformed JPEG image passed to the exif_read_data() function, or via temporary file exhaustion. It is also possible for an attacker to spoof certificates, bypass various safe_mode and open_basedir restrictions when certain criteria are met, perform Cross-site scripting attacks, more easily perform SQL injection attacks, manipulate settings of other virtual hosts on the same server via a malicious .htaccess entry when running on Apache, disclose memory portions, and write arbitrary files via a specially crafted ZIP archive. Some vulnerabilities with unknown impact and attack vectors have been reported as well. </p> </impact> <workaround> <p> There is no known workaround at this time. </p> </workaround> <resolution> <p> All PHP users should upgrade to the latest version. As PHP is statically linked against a vulnerable version of the c-client library when the imap or kolab USE flag is enabled (GLSA 200911-03), users should upgrade net-libs/c-client beforehand: </p> <code> # emerge --sync # emerge --ask --oneshot --verbose ">=net-libs/c-client-2007e" # emerge --ask --oneshot --verbose ">=dev-lang/php-5.2.12"</code> </resolution> <references> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5498">CVE-2008-5498</uri> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5514">CVE-2008-5514</uri> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5557">CVE-2008-5557</uri> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5624">CVE-2008-5624</uri> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5625">CVE-2008-5625</uri> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5658">CVE-2008-5658</uri> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5814">CVE-2008-5814</uri> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5844">CVE-2008-5844</uri> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7002">CVE-2008-7002</uri> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0754">CVE-2009-0754</uri> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1271">CVE-2009-1271</uri> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1272">CVE-2009-1272</uri> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2626">CVE-2009-2626</uri> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2687">CVE-2009-2687</uri> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3291">CVE-2009-3291</uri> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3292">CVE-2009-3292</uri> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3293">CVE-2009-3293</uri> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3546">CVE-2009-3546</uri> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3557">CVE-2009-3557</uri> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3558">CVE-2009-3558</uri> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4017">CVE-2009-4017</uri> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4142">CVE-2009-4142</uri> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4143">CVE-2009-4143</uri> <uri link="https://www.gentoo.org/security/en/glsa/glsa-200911-03.xml">GLSA 200911-03</uri> </references> <metadata tag="submitter" timestamp="2009-11-06T10:26:06Z"> keytoaster </metadata> <metadata tag="bugReady" timestamp="2009-11-26T09:22:21Z"> rbu </metadata> </glsa>