From owner-freebsd-ports-bugs@FreeBSD.ORG Fri Dec 24 22:30:09 2010 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7489C10656A3; Fri, 24 Dec 2010 22:30:09 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 294EF8FC17; Fri, 24 Dec 2010 22:30:09 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id oBOMU96X006040; Fri, 24 Dec 2010 22:30:09 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id oBOMU8jI006029; Fri, 24 Dec 2010 22:30:08 GMT (envelope-from gnats) Resent-Date: Fri, 24 Dec 2010 22:30:08 GMT Resent-Message-Id: <201012242230.oBOMU8jI006029@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@freebsd.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Cc: itetcu@freebsd.org, ale@freebsd.org Resent-Reply-To: FreeBSD-gnats-submit@freebsd.org, Eygene Ryabinkin Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3162A106564A for ; Fri, 24 Dec 2010 22:20:27 +0000 (UTC) (envelope-from rea@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id E1E158FC0C for ; Fri, 24 Dec 2010 22:20:25 +0000 (UTC) Received: from void.codelabs.ru (void.codelabs.ru [144.206.177.25]) by 0.mx.codelabs.ru with esmtps (TLSv1:CAMELLIA256-SHA:256) id 1PWFzs-000LE0-MA for FreeBSD-gnats-submit@freebsd.org; Sat, 25 Dec 2010 01:20:24 +0300 Message-Id: <20101224222024.7D117DA81F@void.codelabs.ru> Date: Sat, 25 Dec 2010 01:20:24 +0300 (MSK) From: Eygene Ryabinkin To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.113 X-GNATS-Notify: itetcu@freebsd.org, ale@freebsd.org Cc: Subject: ports/153433: security/vuxml: split recent PHP entry into multiple ones X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Eygene Ryabinkin List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Dec 2010 22:30:09 -0000 >Number: 153433 >Category: ports >Synopsis: security/vuxml: split recent PHP entry into multiple ones >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Dec 24 22:30:08 UTC 2010 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 9.0-CURRENT amd64 >Organization: Code Labs >Environment: System: FreeBSD 9.0-CURRENT amd64 >Description: I propose to split the recent VuXML entry for PHP, http://www.vuxml.org/freebsd/b2a6fc0e-070f-11e0-a6e9-00215c6a37bb.html into multiple ones. The reasons are: - it is better to group vulnerabilities by-topic (DoS, code execution, etc) -- people can evaluate more easily the impact of different classes on their resources; for example, DoS in context of Apache container will likely affect only the user that provoked the DoS and other Apache processes will continue to work; - PHAR vulnerability is present only in 5.3.x; - extract() vulnerability was fixed both in 5.2 and 5.3: http://www.mail-archive.com/php-cvs@lists.php.net/msg47722.html - NULL-byte poisoning was fixed only in 5.3, 5.2.x is still vulnerable to this design error; - DFS-related fixes are not relevant for FreeBSD, since DFS is Windows file system that is unsupported by us. >How-To-Repeat: n/a >Fix: Here is the proposed patch to the vuln.xml: --- 0001-Split-recent-PHP-entry-into-multiple-ones.patch begins here --- >From 9a06a18a3dd379b648f3ac80821aab3f2756988e Mon Sep 17 00:00:00 2001 From: Eygene Ryabinkin Date: Sat, 25 Dec 2010 01:00:33 +0300 Many reasons: - it is better to group vulnerabilities by-topic (DoS, code execution, etc); - PHAR vulnerability is present only in 5.3.x; - extract() vulnerability was fixed both in 5.2 and 5.3: http://www.mail-archive.com/php-cvs@lists.php.net/msg47722.html - NULL-byte poisoning was fixed only in 5.3, 5.2.x is still vulnerable to this design error; - DFS-related fixes are not relevant for FreeBSD, since DFS is Windows file system that is unsupported by us. Signed-off-by: Eygene Ryabinkin --- security/vuxml/vuln.xml | 228 ++++++++++++++++++++++++++++++++++++++--------- 1 files changed, 187 insertions(+), 41 deletions(-) diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index 949ab58..6ccba50 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -68,8 +68,8 @@ Note: Please add new entries to the beginning of this file. - - php -- multiple vulnerabilities + + PHP -- multiple Denial of Service vulnerabilities php5 @@ -82,57 +82,203 @@ Note: Please add new entries to the beginning of this file. -

PHP developers reports:

+

The following DoS conditions were fixed in PHP 5.3.4 + and PHP 5.2.15:

+
    +
  • +
    +

    Fixed crash in zip extract method (possible CWE-170).

    +
    +
    • +
  • +
    +

    A remote user can send specially crafted IMAP user name + or password data to trigger a double free memory error in + 'ext/imap/php_imap.c' and cause the target service to + crash.

    +

    It may be possible to execute arbitrary code. However, + code execution was not confirmed.

    +
    +
    • +
  • +
    +

    The ZipArchive::getArchiveComment function in PHP 5.2.x + through 5.2.14 and 5.3.x through 5.3.3 allows + context-dependent attackers to cause a denial of service + (NULL pointer dereference and application crash) via a + crafted ZIP archive.

    +
    +
    • +
  • +
    +

    Stack consumption vulnerability in the filter_var + function in PHP 5.2.x through 5.2.14 and 5.3.x through + 5.3.3, when FILTER_VALIDATE_EMAIL mode is used, allows + remote attackers to cause a denial of service (memory + consumption and application crash) via a long e-mail + address string.

    +
    +
    • +
+ + + + CVE-2010-3709 + CVE-2010-3710 + CVE-2010-4150 + http://www.php.net/releases/5_3_4.php + http://www.php.net/releases/5_2_15.php + http://securityreason.com/achievement_securityalert/90 + + + 2010-12-13 + TODAY + + + + + PHP -- format string vulnerability in PHAR extension + + + php5 + 5.3.4 + + + + +

Entry for CVE-2010-2950 says:

+
+

Format string vulnerability in stream.c in the phar + extension in PHP 5.3.x through 5.3.3 allows context-dependent + attackers to obtain sensitive information (memory contents) + and possibly execute arbitrary code via a crafted phar:// + URI.

+
+ + + + CVE-2010-2950 + http://php-security.org/2010/05/14/mops-2010-024-php-phar_stream_flush-format-string-vulnerability/index.html + + + 2010-12-13 + TODAY + + + + + PHP -- NULL byte poisoning + + + php5 + 5.3.4 + + + php52 + 0 + + + + +

PHP-specific version of NULL-byte poisoning was briefly + described by ShAnKaR:

+
+

Poison NULL byte vulnerability for perl CGI applications + was described in [1]. + ShAnKaR noted, that same vulnerability also affects different + PHP applications.

+
+

PHP developers report that branch 5.3 received a fix:

-

Security Enhancements and Fixes in PHP 5.3.4:

-
    -
  • Fixed crash in zip extract method (possible - CWE-170).
    • -
  • Paths with NULL in them (foo\0bar.txt) are now - considered as invalid (CVE-2006-7243).
    • -
  • Fixed a possible double free in imap extension - (Identified by Mateusz Kocielski). (CVE-2010-4150).
    • -
  • Fixed NULL pointer dereference in - ZipArchive::getArchiveComment. (CVE-2010-3709).
    • -
  • Fixed possible flaw in open_basedir (CVE-2010-3436).
    • -
  • Fixed MOPS-2010-24, fix string validation. - (CVE-2010-2950).
    • -
  • Fixed symbolic resolution support when the target - is a DFS share.
    • -
  • Fixed bug #52929 (Segfault in filter_var with - FILTER_VALIDATE_EMAIL with large amount of data) (CVE-2010-3710).
    • -
-
-
-

Security Enhancements and Fixes in PHP 5.2.15:

-
    -
  • Fixed extract() to do not overwrite $GLOBALS and $this - when using EXTR_OVERWRITE.
    • -
  • Fixed crash in zip extract method (possible CWE-170).
    • -
  • Fixed a possible double free in imap extension.
    • -
  • Fixed possible flaw in open_basedir (CVE-2010-3436).
    • -
  • Fixed NULL pointer dereference in ZipArchive::getArchiveComment. - (CVE-2010-3709).
    • -
  • Fixed bug #52929 (Segfault in filter_var with FILTER_VALIDATE_EMAIL - with large amount of data).
    • -
-
+

Paths with NULL in them (foo\0bar.txt) are now considered + as invalid (CVE-2006-7243).

+ CVE-2006-7243 - CVE-2010-2950 + http://www.securityfocus.com/archive/1/archive/1/445788/100/0/threaded + http://artofhacking.com/files/phrack/phrack55/P55-07.TXT + + + 2010-12-10 + TODAY + + + + + PHP -- open_basedir bypass + + + php5 + 5.3.4 + + + php52 + 5.2.15 + + + + +

MITRE reports:

+
+

fopen_wrappers.c in PHP 5.3.x through 5.3.3 might allow + remote attackers to bypass open_basedir restrictions via + vectors related to the length of a filename.

+
+ + + + 44723 CVE-2010-3436 - CVE-2010-3709 - CVE-2010-4150 2010-12-10 - 2010-12-13 - 2010-12-16 + TODAY + + PHP -- corruption of $GLOBALS and $this variables via extract() method + + + php5 + 5.3.4 + + + php52 + 5.2.15 + + + + +

Off-by-one error in the sanity validator for the extract() + method allowed attackers to replace the values of $GLOBALS and + $this when mode EXTR_OVERWRITE was used.

+ + + + http://www.mail-archive.com/php-cvs@lists.php.net/msg47722.html + http://www.php.net/releases/5_2_15.php + + + 2010-12-10 + TODAY + + + + + + + mozilla -- multiple vulnerabilities -- 1.7.3.2 --- 0001-Split-recent-PHP-entry-into-multiple-ones.patch ends here --- >Release-Note: >Audit-Trail: >Unformatted: