[FLSA-2005:166943] Updated php packages fix security issues

From: Marc Deslauriers (marcdeslauriers_at_videotron.ca)
Date: 11/29/05

Next message: limfung_at_gmail.com: "Re: Re: - Cisco IOS HTTP Server code injection/execution vulnerability-"

Previous message: Thierry Carrez: "[Full-disclosure] [ GLSA 200511-21 ] Macromedia Flash Player: Remote arbitrary code execution"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 28 Nov 2005 19:41:16 -0500
To: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk

---------------------------------------------------------------------
Fedora Legacy Update Advisory

Synopsis: Updated php packages fix security issues
Advisory ID: FLSA:166943
Issue date: 2005-11-28
Product: Red Hat Linux, Fedora Core
Keywords: Bugfix
CVE Names: CVE-2005-2498 CVE-2005-3390 CVE-2005-3389
CVE-2005-3388 CVE-2005-3353
---------------------------------------------------------------------

---------------------------------------------------------------------
1. Topic:

Updated PHP packages that fix multiple security issues are now
available.

PHP is an HTML-embedded scripting language commonly used with the Apache
HTTP Web server.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386
Fedora Core 2 - i386

3. Problem description:

A bug was discovered in the PEAR XML-RPC Server package included in PHP.
If a PHP script is used which implements an XML-RPC Server using the
PEAR XML-RPC package, then it is possible for a remote attacker to
construct an XML-RPC request which can cause PHP to execute arbitrary
PHP commands as the 'apache' user. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CVE-2005-2498 to
this issue.

A flaw was found in the way PHP registers global variables during a file
upload request. A remote attacker could submit a carefully crafted
multipart/form-data POST request that would overwrite the $GLOBALS
array, altering expected script behavior, and possibly leading to the
execution of arbitrary PHP commands. Please note that this vulnerability
only affects installations which have register_globals enabled in the
PHP configuration file, which is not a default or recommended option.
The Common Vulnerabilities and Exposures project assigned the name
CVE-2005-3390 to this issue.

A flaw was found in the PHP parse_str() function. If a PHP script passes
only one argument to the parse_str() function, and the script can be
forced to abort execution during operation (for example due to the
memory_limit setting), the register_globals may be enabled even if it is
disabled in the PHP configuration file. This vulnerability only affects
installations that have PHP scripts using the parse_str function in this
way. (CVE-2005-3389)

A Cross-Site Scripting flaw was found in the phpinfo() function. If a
victim can be tricked into following a malicious URL to a site with a
page displaying the phpinfo() output, it may be possible to inject
javascript or HTML content into the displayed page or steal data such as
cookies. This vulnerability only affects installations which allow users
to view the output of the phpinfo() function. As the phpinfo() function
outputs a large amount of information about the current state of PHP, it
should only be used during debugging or if protected by authentication.
(CVE-2005-3388)

A denial of service flaw was found in the way PHP processes EXIF image
data. It is possible for an attacker to cause PHP to crash by supplying
carefully crafted EXIF image data. (CVE-2005-3353)

Users of PHP should upgrade to these updated packages, which contain
backported patches that resolve these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which
are not installed but included in the list will not be updated. Note
that you can also use wildcards (*.rpm) if your current directory *only*
contains the desired RPMs.

Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system. This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=166943

6. RPMs required:

Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/php-4.1.2-7.3.18.legacy.src.rpm

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/php-4.2.2-17.16.legacy.src.rpm

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/php-4.3.11-1.fc1.3.legacy.src.rpm

Fedora Core 2:

SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/php-4.3.11-1.fc2.4.legacy.src.rpm

7. Verification:

SHA1 sum Package Name
---------------------------------------------------------------------

8bdf500386f11c6484c04361095061cce6c5c5f8
redhat/7.3/updates/i386/php-4.1.2-7.3.18.legacy.i386.rpm
592c870e99523279267a0daea98c7dc08b09e5ca
redhat/7.3/updates/i386/php-devel-4.1.2-7.3.18.legacy.i386.rpm
9f84a76296d88673ba8354f416a6ee75b86afb3f
redhat/7.3/updates/i386/php-imap-4.1.2-7.3.18.legacy.i386.rpm
8c4b7136f2cac5f8eea394db819e0f67a973e4ff
redhat/7.3/updates/i386/php-ldap-4.1.2-7.3.18.legacy.i386.rpm
d579f333822efd11fb2fc1364d2b9218bd3547a9
redhat/7.3/updates/i386/php-manual-4.1.2-7.3.18.legacy.i386.rpm
50ec5b4419f70839b5c0b328a605189137477d12
redhat/7.3/updates/i386/php-mysql-4.1.2-7.3.18.legacy.i386.rpm
a73300b91e8ac8aee1792f5ec0975fb312b7f780
redhat/7.3/updates/i386/php-odbc-4.1.2-7.3.18.legacy.i386.rpm
af7de72af9756d6085d255544de389eb8f355c39
redhat/7.3/updates/i386/php-pgsql-4.1.2-7.3.18.legacy.i386.rpm
d96277ec0aa9d37af3372eedb0868249ca96ff51
redhat/7.3/updates/i386/php-snmp-4.1.2-7.3.18.legacy.i386.rpm
8a03b8a7832aba6baf825ec64778f4a321707405
redhat/7.3/updates/SRPMS/php-4.1.2-7.3.18.legacy.src.rpm
7ad045d32b304f8dd7ddb19b4b635c729e0150df
redhat/9/updates/i386/php-4.2.2-17.16.legacy.i386.rpm
1d27a480f2bd80e5de58f2bca1d35866c731a82b
redhat/9/updates/i386/php-devel-4.2.2-17.16.legacy.i386.rpm
649d6cf648ae7900e7c2a4d4a5cb6170b4dabf54
redhat/9/updates/i386/php-imap-4.2.2-17.16.legacy.i386.rpm
c80cb4ed7a141d71b1506ec53473df0f67a33f87
redhat/9/updates/i386/php-ldap-4.2.2-17.16.legacy.i386.rpm
1b8467345c7a63f7e929052d320e9cafa966e3a1
redhat/9/updates/i386/php-manual-4.2.2-17.16.legacy.i386.rpm
691b73249fcb8555bce72b9cc11f7bf305dc837b
redhat/9/updates/i386/php-mysql-4.2.2-17.16.legacy.i386.rpm
373d8598c44551d061c1a1c43699d76533d98941
redhat/9/updates/i386/php-odbc-4.2.2-17.16.legacy.i386.rpm
6ad36765c9d8585222e0ec8814f3000af9ceaefc
redhat/9/updates/i386/php-pgsql-4.2.2-17.16.legacy.i386.rpm
c8320f5f79c80ba3f22f85d93775db06746fb2a8
redhat/9/updates/i386/php-snmp-4.2.2-17.16.legacy.i386.rpm
1502c7295697edcb34d89c28b922ac39785e6b20
redhat/9/updates/SRPMS/php-4.2.2-17.16.legacy.src.rpm
cd04cc6c329e18a9c0c989cdb9a5fcdc9b6712c8
fedora/1/updates/i386/php-4.3.11-1.fc1.3.legacy.i386.rpm
bdb82f6017f088488443cec5f97650aa172714bd
fedora/1/updates/i386/php-devel-4.3.11-1.fc1.3.legacy.i386.rpm
5921f184247991ddac4b398a617abea8768cd9d5
fedora/1/updates/i386/php-domxml-4.3.11-1.fc1.3.legacy.i386.rpm
b38b1aabdcee19a8764b9156ffbd4a7fd15c5345
fedora/1/updates/i386/php-imap-4.3.11-1.fc1.3.legacy.i386.rpm
ecb2bfd639fe1e44a389e2527babbd912279d6ad
fedora/1/updates/i386/php-ldap-4.3.11-1.fc1.3.legacy.i386.rpm
3bd193c7d75216cbe34cee7c637be042b2197693
fedora/1/updates/i386/php-mbstring-4.3.11-1.fc1.3.legacy.i386.rpm
0883a4ef7c03d8faebc90ed0f4a138e1f9b64c9f
fedora/1/updates/i386/php-mysql-4.3.11-1.fc1.3.legacy.i386.rpm
62017bd8700dcaceb2280443abb3e6fd17e9458e
fedora/1/updates/i386/php-odbc-4.3.11-1.fc1.3.legacy.i386.rpm
c9a90440e780eb1420100ed8b0e28d92ddea0295
fedora/1/updates/i386/php-pgsql-4.3.11-1.fc1.3.legacy.i386.rpm
ef627102ded443de2e78c33a29f76c6066f7bf5a
fedora/1/updates/i386/php-snmp-4.3.11-1.fc1.3.legacy.i386.rpm
38da5e66ead97e573a7105ad4a62a14c75763268
fedora/1/updates/i386/php-xmlrpc-4.3.11-1.fc1.3.legacy.i386.rpm
d2b93da45a735956e980e8a5401c4b171644794a
fedora/1/updates/SRPMS/php-4.3.11-1.fc1.3.legacy.src.rpm
edce472b6a404a45bb0187ed2058929b51850423
fedora/2/updates/i386/php-4.3.11-1.fc2.4.legacy.i386.rpm
5f55d05ec4dbbbd6717a14f495bfe9948bec3837
fedora/2/updates/i386/php-devel-4.3.11-1.fc2.4.legacy.i386.rpm
d308529686de245b33057c4ce1a7e0435ba748e6
fedora/2/updates/i386/php-domxml-4.3.11-1.fc2.4.legacy.i386.rpm
a85ba72dbcf8357c63bd7ddd71a8e7b1e270a0d0
fedora/2/updates/i386/php-imap-4.3.11-1.fc2.4.legacy.i386.rpm
8856c97f65e6dfdf5241faa5294a9a8883de049b
fedora/2/updates/i386/php-ldap-4.3.11-1.fc2.4.legacy.i386.rpm
f7d1159e5756ba33282920d0923bcd338306a2c8
fedora/2/updates/i386/php-mbstring-4.3.11-1.fc2.4.legacy.i386.rpm
24d23bd41dc5c3233019a86a988057dfa8fd3576
fedora/2/updates/i386/php-mysql-4.3.11-1.fc2.4.legacy.i386.rpm
618b32b0c28b71755c8f487b035649e44213b2cf
fedora/2/updates/i386/php-odbc-4.3.11-1.fc2.4.legacy.i386.rpm
cf728abb52acc26f2f6d33dbb5135fdbd2ec4df0
fedora/2/updates/i386/php-pear-4.3.11-1.fc2.4.legacy.i386.rpm
fe3a23d81b92930426f7dd3a5b687ef979d8a3b9
fedora/2/updates/i386/php-pgsql-4.3.11-1.fc2.4.legacy.i386.rpm
771c5041ed29045e4de59bcacbc0c640247c80e7
fedora/2/updates/i386/php-snmp-4.3.11-1.fc2.4.legacy.i386.rpm
2962cc479b53c181dd67fdd4008ee904d81e71ac
fedora/2/updates/i386/php-xmlrpc-4.3.11-1.fc2.4.legacy.i386.rpm
2c6d2007423a9334a22451521a742ca942677c57
fedora/2/updates/SRPMS/php-4.3.11-1.fc2.4.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security. Our key is
available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:

sha1sum <filename>

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2498
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3390
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3389
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3388
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3353

9. Contact:

The Fedora Legacy security contact is <secnotice@fedoralegacy.org>. More
project details at http://www.fedoralegacy.org

---------------------------------------------------------------------

application/pgp-signature attachment: OpenPGP digital signature

Next message: limfung_at_gmail.com: "Re: Re: - Cisco IOS HTTP Server code injection/execution vulnerability-"

Previous message: Thierry Carrez: "[Full-disclosure] [ GLSA 200511-21 ] Macromedia Flash Player: Remote arbitrary code execution"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

[RHSA-2002:213-06] New PHP packages fix vulnerability in mail function
... PHP is an HTML-embedded scripting language commonly used with the Apache ... The mail function in PHP 4.x to 4.2.2 may allow local script authors to ... where is a list of the RPMs you wish to upgrade. ... Please note that this update is also available via Red Hat Network. ...
(Bugtraq)
[Full-Disclosure] [RHSA-2002:213-06] New PHP packages fix vulnerability in mail function
... PHP is an HTML-embedded scripting language commonly used with the Apache ... The mail function in PHP 4.x to 4.2.2 may allow local script authors to ... where is a list of the RPMs you wish to upgrade. ... Please note that this update is also available via Red Hat Network. ...
(Full-Disclosure)
[Full-disclosure] [FLSA-2005:163559] Updated php packages fix security issues
... PHP is an HTML-embedded scripting language commonly used with the Apache ... Fedora Core 2 - i386 ... A bug was discovered in the PEAR XML-RPC Server package included in PHP. ... where is a list of the RPMs you wish to upgrade. ...
(Full-Disclosure)
Re: [PHP] PHP console script vs C/C++/C#
... My script is taking a longer time to execute than I want. ... I prefer to write in PHP because that is what I know best. ... This is why I am thinking about rewriting my whole script in a C language. ... Perhaps there are different methods I could be using to speed up execution. ...
(php.general)
[FLSA-2005:163559] Updated php packages fix security issues
... PHP is an HTML-embedded scripting language commonly used with the Apache ... Fedora Core 2 - i386 ... A bug was discovered in the PEAR XML-RPC Server package included in PHP. ... where is a list of the RPMs you wish to upgrade. ...
(Bugtraq)