[ GLSA 200509-19 ] PHP: Vulnerabilities in included PCRE and XML-RPC libraries

From: Thierry Carrez (koon_at_gentoo.org)
Date: 09/27/05

  • Next message: Joxean Guay del Paraguay: "Mantis Bugtracker - Remote Database Scanner and XSS Vulnerabilities" 
    Date: Tue, 27 Sep 2005 22:25:27 +0200
To: gentoo-announce@lists.gentoo.org

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Gentoo Linux Security Advisory GLSA 200509-19
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                                http://security.gentoo.org/
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

      Severity: Normal
         Title: PHP: Vulnerabilities in included PCRE and XML-RPC libraries
          Date: September 27, 2005
          Bugs: #102373
            ID: 200509-19

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Synopsis
    ========

    PHP makes use of an affected PCRE library and ships with an affected
    XML-RPC library and is therefore potentially vulnerable to remote
    execution of arbitrary code.

    Background
    ==========

    PHP is a general-purpose scripting language widely used to develop
    web-based applications. It can run inside a web server using the
    mod_php module or the CGI version of PHP, or can run stand-alone in a
    CLI.

    Affected packages
    =================

        -------------------------------------------------------------------
         Package / Vulnerable / Unaffected
        -------------------------------------------------------------------
      1 dev-php/php < 4.4.0-r1 *>= 4.3.11-r1
    >= 4.4.0-r1
      2 dev-php/mod_php < 4.4.0-r2 *>= 4.3.11-r1
    >= 4.4.0-r2
      3 dev-php/php-cgi < 4.4.0-r2 *>= 4.3.11-r2
    >= 4.4.0-r2
        -------------------------------------------------------------------
         3 affected packages on all of their supported architectures.
        -------------------------------------------------------------------

    Description
    ===========

    PHP makes use of a private copy of libpcre which is subject to an
    integer overflow leading to a heap overflow (see GLSA 200508-17). It
    also ships with an XML-RPC library affected by a script injection
    vulnerability (see GLSA 200508-13).

    Impact
    ======

    An attacker could target a PHP-based web application that would use
    untrusted data as regular expressions, potentially resulting in the
    execution of arbitrary code. If web applications make use of the
    XML-RPC library shipped with PHP, they are also vulnerable to remote
    execution of arbitrary PHP code.

    Workaround
    ==========

    There is no known workaround at this time.

    Resolution
    ==========

    All PHP users should upgrade to the latest version:

        # emerge --sync
        # emerge --ask --oneshot --verbose dev-php/php

    All mod_php users should upgrade to the latest version:

        # emerge --sync
        # emerge --ask --oneshot --verbose dev-php/mod_php

    All php-cgi users should upgrade to the latest version:

        # emerge --sync
        # emerge --ask --oneshot --verbose dev-php/php-cgi

    References
    ==========

      [ 1 ] CAN-2005-2491
            http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2491
      [ 2 ] CAN-2005-2498
            http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2498
      [ 3 ] GLSA 200508-13
            http://www.gentoo.org/security/en/glsa/glsa-200508-13.xml
      [ 4 ] GLSA 200508-17
            http://www.gentoo.org/security/en/glsa/glsa-200508-17.xml

    Availability
    ============

    This GLSA and any updates to it are available for viewing at
    the Gentoo Security Website:

      http://security.gentoo.org/glsa/glsa-200509-19.xml

    Concerns?
    =========

    Security is a primary focus of Gentoo Linux and ensuring the
    confidentiality and security of our users machines is of utmost
    importance to us. Any security concerns should be addressed to
    security@gentoo.org or alternatively, you may file a bug at
    http://bugs.gentoo.org.

    License
    =======

    Copyright 2005 Gentoo Foundation, Inc; referenced text
    belongs to its owner(s).

    The contents of this document are licensed under the
    Creative Commons - Attribution / Share Alike license.

    http://creativecommons.org/licenses/by-sa/2.0

  • Next message: Joxean Guay del Paraguay: "Mantis Bugtracker - Remote Database Scanner and XSS Vulnerabilities"

    Relevant Pages

    • [NEWS] PHP Security Vulnerability in Multipart FORM Data Handling
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The PHP Group has learned of a serious security vulnerability in PHP ... code with the privileges of the web server. ...
      (Securiteam)
    • Re: Php query string security
      ... > Yes I have read an awful lot now about php security and different ... the vulnerability occurs in a quite complicated setup. ... people who write unnessesarily complicated code, who overdesign software, ... are usually not security conscious. ...
      (comp.lang.php)
    • PHPXMLRPC Remote Code Execution
      ... # Risk: Remote Command Execution ... PHPXMLRPC aka XML-RPC For PHP is a PHP implementation of the XML-RPC ... vulnerability that may allow for an attacker to compromise a vulnerable ...
      (Bugtraq)
    • [UNIX] Arbitrary Code Execution Vulnerability in Mantis
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Mantis is an Open Source web-based bug ... tracking system, written in PHP, which uses the MySQL database server. ... A security vulnerability in the ...
      (Securiteam)
    • PHP Security!!! www.armorize.com
      ... Our product uses the most advanced static source code analysis for identifying vulnerabilities in PHP code. ... Our language parser and transformer creates an abstract model of the code through which it runs a series of program path, inter-procedural and data flow analyses after which it can tell you not only what line of code the vulnerability lies, but also highlights the tainted variable that introduced the bug and how it propagates throught the code to become a vulnerability. ... This provides an end to end illustration of the vulnerability, educates you regarding the dymanics of security problems in PHP and actually provides suggetions of how you should go abuout fixing the code. ... Purchase for one month and fix your entire code base, when you need to modify your application again, it will only cost you that month's subscription. ...
      (php.general)