full-disclosure-uk January 2009 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: [Full-disclosure] [ MDVSA-2009:023 ] php

[Full-disclosure] [ MDVSA-2009:023 ] php

From: <security_at_nospam>
Date: Thu Jan 22 2009 - 00:03:00 GMT
To: full-disclosure@lists.grok.org.uk

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Mandriva Linux Security Advisory MDVSA-2009:023  http://www.mandriva.com/security/
Package : php Date : January 21, 2009 Affected: Corporate 4.0
_______________________________________________________________________

 Problem Description:

 A vulnerability in PHP allowed context-dependent attackers to cause  a denial of service (crash) via a certain long string in the glob()  or fnmatch() functions (CVE-2007-4782).  

 A vulnerability in the cURL library in PHP allowed context-dependent  attackers to bypass safe_mode and open_basedir restrictions and read  arbitrary files using a special URL request (CVE-2007-4850).  

 An integer overflow in PHP allowed context-dependent attackers to  cause a denial of serivce via a special printf() format parameter  (CVE-2008-1384).    A stack-based buffer overflow in the FastCGI SAPI in PHP has unknown  impact and attack vectors (CVE-2008-2050).  

 Tavis Ormandy of the Google Security Team discovered a heap-based  buffer overflow when compiling certain regular expression patterns.  This could be used by a malicious attacker by sending a specially  crafted regular expression to an application using the PCRE library,  resulting in the possible execution of arbitrary code or a denial of  service (CVE-2008-2371). PHP in Corporate Server 4.0 is affected by  this issue.  

 A buffer overflow in the imageloadfont() function in PHP allowed  context-dependent attackers to cause a denial of service (crash)  and potentially execute arbitrary code via a crafted font file  (CVE-2008-3658).    A buffer overflow in the memnstr() function allowed context-dependent  attackers to cause a denial of service (crash) and potentially execute  arbitrary code via the delimiter argument to the explode() function  (CVE-2008-3659).    PHP, when used as a FastCGI module, allowed remote attackers to cause  a denial of service (crash) via a request with multiple dots preceding  the extension (CVE-2008-3660).  

 An array index error in the imageRotate() function in PHP allowed  context-dependent attackers to read the contents of arbitrary memory  locations via a crafted value of the third argument to the function  for an indexed image (CVE-2008-5498).  

 The updated packages have been patched to correct these issues.


 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4782 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4850 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1384 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2050 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2371 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3658 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3659 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3660 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5498
_______________________________________________________________________

 Updated Packages:

 Corporate 4.0: d55d5489013a1f9e95262571a5ef2979 corporate/4.0/i586/libphp5_common5-5.1.6-1.10.20060mlcs4.i586.rpm 8701a5ab0e71009171216ccda307e547 corporate/4.0/i586/php-cgi-5.1.6-1.10.20060mlcs4.i586.rpm d3e8b97d03ccd01127a1aeb9e17d3d7e corporate/4.0/i586/php-cli-5.1.6-1.10.20060mlcs4.i586.rpm 6e0aa2965637f3dbc25cff1d5064bb8c corporate/4.0/i586/php-curl-5.1.6-1.1.20060mlcs4.i586.rpm 0458b8aa8daa0e39cd329761eae9d654 corporate/4.0/i586/php-devel-5.1.6-1.10.20060mlcs4.i586.rpm 89487acc8fa77864d25e5aebc40bc9b4 corporate/4.0/i586/php-fcgi-5.1.6-1.10.20060mlcs4.i586.rpm bf404efb4e9567f431256d36833fc8d6 corporate/4.0/i586/php-pcre-5.1.6-1.1.20060mlcs4.i586.rpm c62fb74e0d8744077e4c8ff6f50df98b corporate/4.0/SRPMS/php-5.1.6-1.10.20060mlcs4.src.rpm e46cf717872ddfbf6a13f6d45d225533 corporate/4.0/SRPMS/php-curl-5.1.6-1.1.20060mlcs4.src.rpm b188d26d6a781b5066d515ed5ae36ace corporate/4.0/SRPMS/php-pcre-5.1.6-1.1.20060mlcs4.src.rpm

 Corporate 4.0/X86_64: 70d99222e5692b2fd88fcb05f8f5e620 corporate/4.0/x86_64/lib64php5_common5-5.1.6-1.10.20060mlcs4.x86_64.rpm 62448b1b344cdc098b6620e0e773ef17 corporate/4.0/x86_64/php-cgi-5.1.6-1.10.20060mlcs4.x86_64.rpm dc0df43cfe80f4b5017924152d43a91f corporate/4.0/x86_64/php-cli-5.1.6-1.10.20060mlcs4.x86_64.rpm 9ac37cd014c4012a964e65cbe9d1b01a corporate/4.0/x86_64/php-curl-5.1.6-1.1.20060mlcs4.x86_64.rpm 6ac51f6b50172ee6d5eb36ce8b8cba77 corporate/4.0/x86_64/php-devel-5.1.6-1.10.20060mlcs4.x86_64.rpm ab26bfe0c8370bd2bf37205cbc1df63b corporate/4.0/x86_64/php-fcgi-5.1.6-1.10.20060mlcs4.x86_64.rpm e570ffbbd17e30630e7f14a67b57cffd corporate/4.0/x86_64/php-pcre-5.1.6-1.1.20060mlcs4.x86_64.rpm c62fb74e0d8744077e4c8ff6f50df98b corporate/4.0/SRPMS/php-5.1.6-1.10.20060mlcs4.src.rpm e46cf717872ddfbf6a13f6d45d225533 corporate/4.0/SRPMS/php-curl-5.1.6-1.1.20060mlcs4.src.rpm b188d26d6a781b5066d515ed5ae36ace corporate/4.0/SRPMS/php-pcre-5.1.6-1.1.20060mlcs4.src.rpm
_______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi. The verification  of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security. You can obtain the  GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com


 Type Bits/KeyID Date User ID
 pub 1024D/22458A98 2000-07-10 Mandriva Security Team   <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJd4y5mqjQ0CJFipgRAlpVAJ4oOl0atBrwZTu5WA3RvdNxzIDroACgi+UH 4tzIz9f+JcmDA5Q469nYg5M=
=804z
-----END PGP SIGNATURE-----



Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/