Date: Sat, 25 Dec 2010 01:20:24 +0300 (MSK) From: Eygene Ryabinkin <rea@freebsd.org> To: FreeBSD-gnats-submit@freebsd.org Subject: ports/153433: security/vuxml: split recent PHP entry into multiple ones Message-ID: <20101224222024.7D117DA81F@void.codelabs.ru> Resent-Message-ID: <201012242230.oBOMU8jI006029@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 153433 >Category: ports >Synopsis: security/vuxml: split recent PHP entry into multiple ones >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Dec 24 22:30:08 UTC 2010 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 9.0-CURRENT amd64 >Organization: Code Labs >Environment: System: FreeBSD 9.0-CURRENT amd64 >Description: I propose to split the recent VuXML entry for PHP, http://www.vuxml.org/freebsd/b2a6fc0e-070f-11e0-a6e9-00215c6a37bb.html into multiple ones. The reasons are: - it is better to group vulnerabilities by-topic (DoS, code execution, etc) -- people can evaluate more easily the impact of different classes on their resources; for example, DoS in context of Apache container will likely affect only the user that provoked the DoS and other Apache processes will continue to work; - PHAR vulnerability is present only in 5.3.x; - extract() vulnerability was fixed both in 5.2 and 5.3: http://www.mail-archive.com/php-cvs@lists.php.net/msg47722.html - NULL-byte poisoning was fixed only in 5.3, 5.2.x is still vulnerable to this design error; - DFS-related fixes are not relevant for FreeBSD, since DFS is Windows file system that is unsupported by us. >How-To-Repeat: n/a >Fix: Here is the proposed patch to the vuln.xml: --- 0001-Split-recent-PHP-entry-into-multiple-ones.patch begins here --- >From 9a06a18a3dd379b648f3ac80821aab3f2756988e Mon Sep 17 00:00:00 2001 From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> Date: Sat, 25 Dec 2010 01:00:33 +0300 Many reasons: - it is better to group vulnerabilities by-topic (DoS, code execution, etc); - PHAR vulnerability is present only in 5.3.x; - extract() vulnerability was fixed both in 5.2 and 5.3: http://www.mail-archive.com/php-cvs@lists.php.net/msg47722.html - NULL-byte poisoning was fixed only in 5.3, 5.2.x is still vulnerable to this design error; - DFS-related fixes are not relevant for FreeBSD, since DFS is Windows file system that is unsupported by us. Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru> --- security/vuxml/vuln.xml | 228 ++++++++++++++++++++++++++++++++++++++--------- 1 files changed, 187 insertions(+), 41 deletions(-) diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index 949ab58..6ccba50 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -68,8 +68,8 @@ Note: Please add new entries to the beginning of this file. </dates> </vuln> - <vuln vid="b2a6fc0e-070f-11e0-a6e9-00215c6a37bb"> - <topic>php -- multiple vulnerabilities</topic> + <vuln vid="1a0704e7-0edf-11e0-becc-0022156e8794"> + <topic>PHP -- multiple Denial of Service vulnerabilities</topic> <affects> <package> <name>php5</name> @@ -82,57 +82,203 @@ Note: Please add new entries to the beginning of this file. </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml">; - <p>PHP developers reports:</p> + <p>The following DoS conditions were fixed in PHP 5.3.4 + and PHP 5.2.15:</p> + <ul> + <li> + <blockquote + cite="http://www.php.net/releases/5_3_4.php">; + <p>Fixed crash in zip extract method (possible CWE-170).</p> + </blockquote> + </li> + <li> + <blockquote + cite="http://securitytracker.com/alerts/2010/Nov/1024761.html">; + <p>A remote user can send specially crafted IMAP user name + or password data to trigger a double free memory error in + 'ext/imap/php_imap.c' and cause the target service to + crash.</p> + <p>It may be possible to execute arbitrary code. However, + code execution was not confirmed.</p> + </blockquote> + </li> + <li> + <blockquote + cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3709">; + <p>The ZipArchive::getArchiveComment function in PHP 5.2.x + through 5.2.14 and 5.3.x through 5.3.3 allows + context-dependent attackers to cause a denial of service + (NULL pointer dereference and application crash) via a + crafted ZIP archive.</p> + </blockquote> + </li> + <li> + <blockquote + cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3710">; + <p>Stack consumption vulnerability in the filter_var + function in PHP 5.2.x through 5.2.14 and 5.3.x through + 5.3.3, when FILTER_VALIDATE_EMAIL mode is used, allows + remote attackers to cause a denial of service (memory + consumption and application crash) via a long e-mail + address string.</p> + </blockquote> + </li> + </ul> + </body> + </description> + <references> + <cvename>CVE-2010-3709</cvename> + <cvename>CVE-2010-3710</cvename> + <cvename>CVE-2010-4150</cvename> + <url>http://www.php.net/releases/5_3_4.php</url>; + <url>http://www.php.net/releases/5_2_15.php</url>; + <url>http://securityreason.com/achievement_securityalert/90</url>; + </references> + <dates> + <discovery>2010-12-13</discovery> + <entry>TODAY</entry> + </dates> + </vuln> + + <vuln vid="da3d381b-0ee6-11e0-becc-0022156e8794"> + <topic>PHP -- format string vulnerability in PHAR extension</topic> + <affects> + <package> + <name>php5</name> + <range><lt>5.3.4</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Entry for CVE-2010-2950 says:</p> + <blockquote + cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2950">; + <p>Format string vulnerability in stream.c in the phar + extension in PHP 5.3.x through 5.3.3 allows context-dependent + attackers to obtain sensitive information (memory contents) + and possibly execute arbitrary code via a crafted phar:// + URI.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2010-2950</cvename> + <url>http://php-security.org/2010/05/14/mops-2010-024-php-phar_stream_flush-format-string-vulnerability/index.html</url>; + </references> + <dates> + <discovery>2010-12-13</discovery> + <entry>TODAY</entry> + </dates> + </vuln> + + <vuln vid="3761df02-0f9c-11e0-becc-0022156e8794"> + <topic>PHP -- NULL byte poisoning</topic> + <affects> + <package> + <name>php5</name> + <range><lt>5.3.4</lt></range> + </package> + <package> + <name>php52</name> + <range><ge>0</ge></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>PHP-specific version of NULL-byte poisoning was briefly + described by ShAnKaR:</p> + <blockquote + cite="http://www.securityfocus.com/archive/1/archive/1/445788/100/0/threaded">; + <p>Poison NULL byte vulnerability for perl CGI applications + was described in <a + href="http://artofhacking.com/files/phrack/phrack55/P55-07.TXT">[1]</a>. + ShAnKaR noted, that same vulnerability also affects different + PHP applications.</p> + </blockquote> + <p>PHP developers report that branch 5.3 received a fix:</p> <blockquote cite="http://www.php.net/releases/5_3_4.php">; - <p>Security Enhancements and Fixes in PHP 5.3.4:</p> - <ul> - <li>Fixed crash in zip extract method (possible - CWE-170).</li> - <li>Paths with NULL in them (foo\0bar.txt) are now - considered as invalid (CVE-2006-7243).</li> - <li>Fixed a possible double free in imap extension - (Identified by Mateusz Kocielski). (CVE-2010-4150).</li> - <li>Fixed NULL pointer dereference in - ZipArchive::getArchiveComment. (CVE-2010-3709).</li> - <li>Fixed possible flaw in open_basedir (CVE-2010-3436).</li> - <li>Fixed MOPS-2010-24, fix string validation. - (CVE-2010-2950).</li> - <li>Fixed symbolic resolution support when the target - is a DFS share.</li> - <li>Fixed bug #52929 (Segfault in filter_var with - FILTER_VALIDATE_EMAIL with large amount of data) (CVE-2010-3710).</li> - </ul> - </blockquote> - <blockquote cite="http://www.php.net/releases/5_2_15.php">; - <p>Security Enhancements and Fixes in PHP 5.2.15:</p> - <ul> - <li>Fixed extract() to do not overwrite $GLOBALS and $this - when using EXTR_OVERWRITE.</li> - <li>Fixed crash in zip extract method (possible CWE-170).</li> - <li>Fixed a possible double free in imap extension.</li> - <li>Fixed possible flaw in open_basedir (CVE-2010-3436).</li> - <li>Fixed NULL pointer dereference in ZipArchive::getArchiveComment. - (CVE-2010-3709).</li> - <li>Fixed bug #52929 (Segfault in filter_var with FILTER_VALIDATE_EMAIL - with large amount of data).</li> - </ul> - </blockquote> + <p>Paths with NULL in them (foo\0bar.txt) are now considered + as invalid (CVE-2006-7243).</p> + </blockquote> </body> </description> <references> <cvename>CVE-2006-7243</cvename> - <cvename>CVE-2010-2950</cvename> + <url>http://www.securityfocus.com/archive/1/archive/1/445788/100/0/threaded</url>; + <url>http://artofhacking.com/files/phrack/phrack55/P55-07.TXT</url>; + </references> + <dates> + <discovery>2010-12-10</discovery> + <entry>TODAY</entry> + </dates> + </vuln> + + <vuln vid="73634294-0fa7-11e0-becc-0022156e8794"> + <topic>PHP -- open_basedir bypass</topic> + <affects> + <package> + <name>php5</name> + <range><lt>5.3.4</lt></range> + </package> + <package> + <name>php52</name> + <range><lt>5.2.15</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>MITRE reports:</p> + <blockquote + cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3436">; + <p>fopen_wrappers.c in PHP 5.3.x through 5.3.3 might allow + remote attackers to bypass open_basedir restrictions via + vectors related to the length of a filename.</p> + </blockquote> + </body> + </description> + <references> + <bid>44723</bid> <cvename>CVE-2010-3436</cvename> - <cvename>CVE-2010-3709</cvename> - <cvename>CVE-2010-4150</cvename> </references> <dates> <discovery>2010-12-10</discovery> - <entry>2010-12-13</entry> - <modified>2010-12-16</modified> + <entry>TODAY</entry> </dates> </vuln> + <vuln vid="f3148a05-0fa7-11e0-becc-0022156e8794"> + <topic>PHP -- corruption of $GLOBALS and $this variables via extract() method</topic> + <affects> + <package> + <name>php5</name> + <range><lt>5.3.4</lt></range> + </package> + <package> + <name>php52</name> + <range><lt>5.2.15</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Off-by-one error in the sanity validator for the extract() + method allowed attackers to replace the values of $GLOBALS and + $this when mode EXTR_OVERWRITE was used.</p> + </body> + </description> + <references> + <url>http://www.mail-archive.com/php-cvs@lists.php.net/msg47722.html</url>; + <url>http://www.php.net/releases/5_2_15.php</url>; + </references> + <dates> + <discovery>2010-12-10</discovery> + <entry>TODAY</entry> + </dates> + </vuln> + + <vuln vid="b2a6fc0e-070f-11e0-a6e9-00215c6a37bb"> + <cancelled /> + </vuln> + <vuln vid="1d8ff4a2-0445-11e0-8e32-000f20797ede"> <topic>mozilla -- multiple vulnerabilities</topic> <affects> -- 1.7.3.2 --- 0001-Split-recent-PHP-entry-into-multiple-ones.patch ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20101224222024.7D117DA81F>