[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1LPn2C-0006XM-Bp@titan.mandriva.com>
Date: Wed, 21 Jan 2009 17:03:00 -0700
From: security@...driva.com
To: bugtraq@...urityfocus.com
Subject: [ MDVSA-2009:023 ] php
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2009:023
http://www.mandriva.com/security/
_______________________________________________________________________
Package : php
Date : January 21, 2009
Affected: Corporate 4.0
_______________________________________________________________________
Problem Description:
A vulnerability in PHP allowed context-dependent attackers to cause
a denial of service (crash) via a certain long string in the glob()
or fnmatch() functions (CVE-2007-4782).
A vulnerability in the cURL library in PHP allowed context-dependent
attackers to bypass safe_mode and open_basedir restrictions and read
arbitrary files using a special URL request (CVE-2007-4850).
An integer overflow in PHP allowed context-dependent attackers to
cause a denial of serivce via a special printf() format parameter
(CVE-2008-1384).
A stack-based buffer overflow in the FastCGI SAPI in PHP has unknown
impact and attack vectors (CVE-2008-2050).
Tavis Ormandy of the Google Security Team discovered a heap-based
buffer overflow when compiling certain regular expression patterns.
This could be used by a malicious attacker by sending a specially
crafted regular expression to an application using the PCRE library,
resulting in the possible execution of arbitrary code or a denial of
service (CVE-2008-2371). PHP in Corporate Server 4.0 is affected by
this issue.
A buffer overflow in the imageloadfont() function in PHP allowed
context-dependent attackers to cause a denial of service (crash)
and potentially execute arbitrary code via a crafted font file
(CVE-2008-3658).
A buffer overflow in the memnstr() function allowed context-dependent
attackers to cause a denial of service (crash) and potentially execute
arbitrary code via the delimiter argument to the explode() function
(CVE-2008-3659).
PHP, when used as a FastCGI module, allowed remote attackers to cause
a denial of service (crash) via a request with multiple dots preceding
the extension (CVE-2008-3660).
An array index error in the imageRotate() function in PHP allowed
context-dependent attackers to read the contents of arbitrary memory
locations via a crafted value of the third argument to the function
for an indexed image (CVE-2008-5498).
The updated packages have been patched to correct these issues.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4782
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4850
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1384
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2050
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2371
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3658
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3659
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3660
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5498
_______________________________________________________________________
Updated Packages:
Corporate 4.0:
d55d5489013a1f9e95262571a5ef2979 corporate/4.0/i586/libphp5_common5-5.1.6-1.10.20060mlcs4.i586.rpm
8701a5ab0e71009171216ccda307e547 corporate/4.0/i586/php-cgi-5.1.6-1.10.20060mlcs4.i586.rpm
d3e8b97d03ccd01127a1aeb9e17d3d7e corporate/4.0/i586/php-cli-5.1.6-1.10.20060mlcs4.i586.rpm
6e0aa2965637f3dbc25cff1d5064bb8c corporate/4.0/i586/php-curl-5.1.6-1.1.20060mlcs4.i586.rpm
0458b8aa8daa0e39cd329761eae9d654 corporate/4.0/i586/php-devel-5.1.6-1.10.20060mlcs4.i586.rpm
89487acc8fa77864d25e5aebc40bc9b4 corporate/4.0/i586/php-fcgi-5.1.6-1.10.20060mlcs4.i586.rpm
bf404efb4e9567f431256d36833fc8d6 corporate/4.0/i586/php-pcre-5.1.6-1.1.20060mlcs4.i586.rpm
c62fb74e0d8744077e4c8ff6f50df98b corporate/4.0/SRPMS/php-5.1.6-1.10.20060mlcs4.src.rpm
e46cf717872ddfbf6a13f6d45d225533 corporate/4.0/SRPMS/php-curl-5.1.6-1.1.20060mlcs4.src.rpm
b188d26d6a781b5066d515ed5ae36ace corporate/4.0/SRPMS/php-pcre-5.1.6-1.1.20060mlcs4.src.rpm
Corporate 4.0/X86_64:
70d99222e5692b2fd88fcb05f8f5e620 corporate/4.0/x86_64/lib64php5_common5-5.1.6-1.10.20060mlcs4.x86_64.rpm
62448b1b344cdc098b6620e0e773ef17 corporate/4.0/x86_64/php-cgi-5.1.6-1.10.20060mlcs4.x86_64.rpm
dc0df43cfe80f4b5017924152d43a91f corporate/4.0/x86_64/php-cli-5.1.6-1.10.20060mlcs4.x86_64.rpm
9ac37cd014c4012a964e65cbe9d1b01a corporate/4.0/x86_64/php-curl-5.1.6-1.1.20060mlcs4.x86_64.rpm
6ac51f6b50172ee6d5eb36ce8b8cba77 corporate/4.0/x86_64/php-devel-5.1.6-1.10.20060mlcs4.x86_64.rpm
ab26bfe0c8370bd2bf37205cbc1df63b corporate/4.0/x86_64/php-fcgi-5.1.6-1.10.20060mlcs4.x86_64.rpm
e570ffbbd17e30630e7f14a67b57cffd corporate/4.0/x86_64/php-pcre-5.1.6-1.1.20060mlcs4.x86_64.rpm
c62fb74e0d8744077e4c8ff6f50df98b corporate/4.0/SRPMS/php-5.1.6-1.10.20060mlcs4.src.rpm
e46cf717872ddfbf6a13f6d45d225533 corporate/4.0/SRPMS/php-curl-5.1.6-1.1.20060mlcs4.src.rpm
b188d26d6a781b5066d515ed5ae36ace corporate/4.0/SRPMS/php-pcre-5.1.6-1.1.20060mlcs4.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFJd4y5mqjQ0CJFipgRAlpVAJ4oOl0atBrwZTu5WA3RvdNxzIDroACgi+UH
4tzIz9f+JcmDA5Q469nYg5M=
=804z
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists