lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20071204034553.GQ8789@outflux.net>
Date: Mon, 3 Dec 2007 19:45:53 -0800
From: Kees Cook <kees@...ntu.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-549-2] PHP regression

=========================================================== 
Ubuntu Security Notice USN-549-2          December 03, 2007
php5 regression
https://launchpad.net/bugs/173043
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 7.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 7.10:
  libapache2-mod-php5             5.2.3-1ubuntu6.2
  php5-cgi                        5.2.3-1ubuntu6.2
  php5-cli                        5.2.3-1ubuntu6.2

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

USN-549-1 fixed vulnerabilities in PHP.  However, some upstream changes
were incomplete, which caused crashes in certain situations with Ubuntu
7.10.  This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

 It was discovered that the wordwrap function did not correctly
 check lengths.  Remote attackers could exploit this to cause
 a crash or monopolize CPU resources, resulting in a denial of
 service. (CVE-2007-3998)

 Integer overflows were discovered in the strspn and strcspn functions.
 Attackers could exploit this to read arbitrary areas of memory, possibly
 gaining access to sensitive information. (CVE-2007-4657)

 Stanislav Malyshev discovered that money_format function did not correctly
 handle certain tokens.  If a PHP application were tricked into processing
 a bad format string, a remote attacker could execute arbitrary code with
 application privileges. (CVE-2007-4658)

 It was discovered that the php_openssl_make_REQ function did not
 correctly check buffer lengths.  A remote attacker could send a
 specially crafted message and execute arbitrary code with application
 privileges. (CVE-2007-4662)

 It was discovered that certain characters in session cookies were not
 handled correctly.  A remote attacker could injection values which could
 lead to altered application behavior, potentially gaining additional
 privileges. (CVE-2007-3799)

 Gerhard Wagner discovered that the chunk_split function did not
 correctly handle long strings.  A remote attacker could exploit this
 to execute arbitrary code with application privileges.  (CVE-2007-2872,
 CVE-2007-4660, CVE-2007-4661)

 Stefan Esser discovered that deeply nested arrays could be made to
 fill stack space.  A remote attacker could exploit this to cause a
 crash or monopolize CPU resources, resulting in a denial of service.
 (CVE-2007-1285, CVE-2007-4670)

 Rasmus Lerdorf discovered that the htmlentities and htmlspecialchars
 functions did not correctly stop when handling partial multibyte
 sequences.  A remote attacker could exploit this to read certain areas of
 memory, possibly gaining access to sensitive information. (CVE-2007-5898)

 It was discovered that the output_add_rewrite_var fucntion would
 sometimes leak session id information to forms targeting remote URLs.
 Malicious remote sites could use this information to gain access to a
 PHP application user's login credentials. (CVE-2007-5899)


Updated packages for Ubuntu 7.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5_5.2.3-1ubuntu6.2.diff.gz
      Size/MD5:   126545 02fbb9e80b615dc9a718d60c9367538a
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5_5.2.3-1ubuntu6.2.dsc
      Size/MD5:     1921 d8aec3af9962e69e67bc7ae6bfa31537
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5_5.2.3.orig.tar.gz
      Size/MD5:  9341653 df79b04d63fc4c1ccb6d8ea58a9cf3ac

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php-pear_5.2.3-1ubuntu6.2_all.deb
      Size/MD5:   351400 62ead0de4a2ea48ca87be08b0448f5ab
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5_5.2.3-1ubuntu6.2_all.deb
      Size/MD5:     1082 77c1c2ec676628707caf5588962f0f45

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/p/php5/libapache2-mod-php5_5.2.3-1ubuntu6.2_amd64.deb
      Size/MD5:  2669448 95ae60da41ef7b4594f86ff5264a13d4
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-cgi_5.2.3-1ubuntu6.2_amd64.deb
      Size/MD5:  5190794 1758c00b1b859342f5c3e73e5e867bbd
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-cli_5.2.3-1ubuntu6.2_amd64.deb
      Size/MD5:  2617924 b4bda6f34586d6c8887cb2c10079ea76
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-common_5.2.3-1ubuntu6.2_amd64.deb
      Size/MD5:   222450 67e1f5d10721cad22936f0068211a3c7
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-curl_5.2.3-1ubuntu6.2_amd64.deb
      Size/MD5:    24778 811ec34d4ea460b00fac5bdb16e9b8f5
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-dev_5.2.3-1ubuntu6.2_amd64.deb
      Size/MD5:   355046 dfb88072d5b404ee353f4af63ae9ebb2
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-gd_5.2.3-1ubuntu6.2_amd64.deb
      Size/MD5:    37826 6c17e662bb7a6b2c525a705d91fa65d5
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-ldap_5.2.3-1ubuntu6.2_amd64.deb
      Size/MD5:    19948 753ec86c6795479bc0891ca9c0670b91
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-mhash_5.2.3-1ubuntu6.2_amd64.deb
      Size/MD5:     5516 66519e995a609455868d5ad23e927221
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-mysql_5.2.3-1ubuntu6.2_amd64.deb
      Size/MD5:    73880 afcde53c84b70c2f9882d6c319f0ca6c
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-odbc_5.2.3-1ubuntu6.2_amd64.deb
      Size/MD5:    37356 ee6186620f7ee27b153c5104db3fa541
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-pgsql_5.2.3-1ubuntu6.2_amd64.deb
      Size/MD5:    55904 99be8556d41e3561a25e24c281d0a11b
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-pspell_5.2.3-1ubuntu6.2_amd64.deb
      Size/MD5:     9642 c3295facb9fa364802abb6857f46f63d
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-recode_5.2.3-1ubuntu6.2_amd64.deb
      Size/MD5:     4996 455b57531d167ecc89555e6e1f5605de
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-snmp_5.2.3-1ubuntu6.2_amd64.deb
      Size/MD5:    12352 fdca6404e8a8621fa702f1866e46751a
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-sqlite_5.2.3-1ubuntu6.2_amd64.deb
      Size/MD5:    39482 55d7eb36b22298c3cae3305ea6e210f4
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-sybase_5.2.3-1ubuntu6.2_amd64.deb
      Size/MD5:    19824 8d13dfe918c0cea9d41fae314e22452d
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-tidy_5.2.3-1ubuntu6.2_amd64.deb
      Size/MD5:    17880 9ab41423658fbff93ae9c9012400d8ac
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-xmlrpc_5.2.3-1ubuntu6.2_amd64.deb
      Size/MD5:    40808 eb5b2070dab4107f00e8e7475eab2b14
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-xsl_5.2.3-1ubuntu6.2_amd64.deb
      Size/MD5:    13368 8dc3c21c551572a5187341fe7f9368a4

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/p/php5/libapache2-mod-php5_5.2.3-1ubuntu6.2_i386.deb
      Size/MD5:  2542558 0fa871af840de95357d417e81b1bde12
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-cgi_5.2.3-1ubuntu6.2_i386.deb
      Size/MD5:  5024704 4d076101de583289f74b472f66a3d321
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-cli_5.2.3-1ubuntu6.2_i386.deb
      Size/MD5:  2530522 a45f9fae50da18f4455a55c166b73f0a
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-common_5.2.3-1ubuntu6.2_i386.deb
      Size/MD5:   218722 5c3bc75d5873441488fd0c8f65c2b53f
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-curl_5.2.3-1ubuntu6.2_i386.deb
      Size/MD5:    23598 a04e61affc316a84891bad58ee0eddbd
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-dev_5.2.3-1ubuntu6.2_i386.deb
      Size/MD5:   355044 94e2c641392ac5ae29e237c5132382f7
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-gd_5.2.3-1ubuntu6.2_i386.deb
      Size/MD5:    33490 0afcb138e970ca9d10dc1d754470494e
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-ldap_5.2.3-1ubuntu6.2_i386.deb
      Size/MD5:    17970 b0258ea33e7642deb82aaead60a0e978
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-mhash_5.2.3-1ubuntu6.2_i386.deb
      Size/MD5:     5194 49596e1453c3131e06af3e045a623977
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-mysql_5.2.3-1ubuntu6.2_i386.deb
      Size/MD5:    65216 80135f11d58a1c872d4d60989baedf48
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-odbc_5.2.3-1ubuntu6.2_i386.deb
      Size/MD5:    34432 29f2821eafc5fbf46a6e8ca4feec1970
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-pgsql_5.2.3-1ubuntu6.2_i386.deb
      Size/MD5:    51304 e66d6510daaaa6b4a6d4b64a5f7a0a60
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-pspell_5.2.3-1ubuntu6.2_i386.deb
      Size/MD5:     8700 a594aa7f95afa110e83e529b97aa2f40
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-recode_5.2.3-1ubuntu6.2_i386.deb
      Size/MD5:     4774 5a766568c97f65f2be95c60f4a57bda9
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-snmp_5.2.3-1ubuntu6.2_i386.deb
      Size/MD5:    11562 a663a6acf219a33af357f78c70c6b89d
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-sqlite_5.2.3-1ubuntu6.2_i386.deb
      Size/MD5:    34496 ab97a8b5c2b87c89517c6372907e4223
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-sybase_5.2.3-1ubuntu6.2_i386.deb
      Size/MD5:    18134 9b97f35dd2cf631b8d4d407b802e09ba
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-tidy_5.2.3-1ubuntu6.2_i386.deb
      Size/MD5:    16348 061fc0d3060ab441b7319608d7968ac6
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-xmlrpc_5.2.3-1ubuntu6.2_i386.deb
      Size/MD5:    37722 9d9eba9fd632f8d473ed095e17ad6d57
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-xsl_5.2.3-1ubuntu6.2_i386.deb
      Size/MD5:    12402 355d6a8d187b53704d169ac2527b51a3

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/p/php5/libapache2-mod-php5_5.2.3-1ubuntu6.2_powerpc.deb
      Size/MD5:  2742574 b90d20abf4b71b58d67902f0904e3f54
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-cgi_5.2.3-1ubuntu6.2_powerpc.deb
      Size/MD5:  5270574 67c8541045c90489d495ce234f6e1ffb
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-cli_5.2.3-1ubuntu6.2_powerpc.deb
      Size/MD5:  2654246 f27259c7b3841e50bf3c86dc782b20f0
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-common_5.2.3-1ubuntu6.2_powerpc.deb
      Size/MD5:   225816 31458de4e7c9177f0138973fc0d5b25b
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-curl_5.2.3-1ubuntu6.2_powerpc.deb
      Size/MD5:    28060 86f7e5fad55a12472c985c32f743f015
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-dev_5.2.3-1ubuntu6.2_powerpc.deb
      Size/MD5:   355080 fecb9665cbde35a8518b600cdf205fb4
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-gd_5.2.3-1ubuntu6.2_powerpc.deb
      Size/MD5:    39110 adc0322de702ada2e0b80e490e417685
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-ldap_5.2.3-1ubuntu6.2_powerpc.deb
      Size/MD5:    21724 edc5f9999abac743ecc66592cecf3767
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-mhash_5.2.3-1ubuntu6.2_powerpc.deb
      Size/MD5:     7640 6377891afce3ee5b592c32cc95b42f95
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-mysql_5.2.3-1ubuntu6.2_powerpc.deb
      Size/MD5:    78026 47fd399637c816e4a4206f76cd9d8afc
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-odbc_5.2.3-1ubuntu6.2_powerpc.deb
      Size/MD5:    40974 641321c2fb3f5b8de7d772f3eeba46bc
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-pgsql_5.2.3-1ubuntu6.2_powerpc.deb
      Size/MD5:    59574 58b072639918acd35515d8eceb76971d
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-pspell_5.2.3-1ubuntu6.2_powerpc.deb
      Size/MD5:    11248 4e667071c4471a24ecae795485aa3655
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-recode_5.2.3-1ubuntu6.2_powerpc.deb
      Size/MD5:     7172 1d98c91eafdf94442f8e4efddcbc0946
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-snmp_5.2.3-1ubuntu6.2_powerpc.deb
      Size/MD5:    14118 6fc7790c62b8a7ae231a974271ce40f5
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-sqlite_5.2.3-1ubuntu6.2_powerpc.deb
      Size/MD5:    42674 53a718dcd9cebd06054ca7bcba4b31c6
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-sybase_5.2.3-1ubuntu6.2_powerpc.deb
      Size/MD5:    21860 b210d78bfc0a04fa53f45b901ad3158e
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-tidy_5.2.3-1ubuntu6.2_powerpc.deb
      Size/MD5:    20138 a5b73e99fe5320576a0ade3b9aca0cd4
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-xmlrpc_5.2.3-1ubuntu6.2_powerpc.deb
      Size/MD5:    43136 29eb3af8e346b10ae0c150406e16b996
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-xsl_5.2.3-1ubuntu6.2_powerpc.deb
      Size/MD5:    15466 e1e046bc8e77d9237038abce92763c74

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/p/php5/libapache2-mod-php5_5.2.3-1ubuntu6.2_sparc.deb
      Size/MD5:  2576838 4eb1b61129d7191fa5f9a8186a3eb545
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-cgi_5.2.3-1ubuntu6.2_sparc.deb
      Size/MD5:  5020902 a74c4167bd3c9072b62c8e8d4ac40eb9
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-cli_5.2.3-1ubuntu6.2_sparc.deb
      Size/MD5:  2529358 790f9b28adf0a84e1f5fe8421fb9c5c6
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-common_5.2.3-1ubuntu6.2_sparc.deb
      Size/MD5:   218684 d3becd4261e09cdecbcdb17a2c28df2d
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-curl_5.2.3-1ubuntu6.2_sparc.deb
      Size/MD5:    24486 c0eb7ca78a301b561175403f8a72f1a5
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-dev_5.2.3-1ubuntu6.2_sparc.deb
      Size/MD5:   355090 4aba6b1a9c1cbe55e43ba0cd2e281740
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-gd_5.2.3-1ubuntu6.2_sparc.deb
      Size/MD5:    34328 d002fe95e04fa7d471a401d29d18521f
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-ldap_5.2.3-1ubuntu6.2_sparc.deb
      Size/MD5:    17966 74f9b87291910eccdd06138619c27dc8
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-mhash_5.2.3-1ubuntu6.2_sparc.deb
      Size/MD5:     5070 cf33fa098810fe83e872c6156933b410
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-mysql_5.2.3-1ubuntu6.2_sparc.deb
      Size/MD5:    64752 c92758c6d14df97dfcb57d7aa2d6c243
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-odbc_5.2.3-1ubuntu6.2_sparc.deb
      Size/MD5:    32858 23ff82df0be4350ae39a0602e41bfe3e
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-pgsql_5.2.3-1ubuntu6.2_sparc.deb
      Size/MD5:    50136 10970c45c6d1f679d478c781881d4adb
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-pspell_5.2.3-1ubuntu6.2_sparc.deb
      Size/MD5:     8620 899ac45be91a8ffa5630c99bf91fe059
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-recode_5.2.3-1ubuntu6.2_sparc.deb
      Size/MD5:     4754 101ac244742ef3c43d95ab1ccd5a0262
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-snmp_5.2.3-1ubuntu6.2_sparc.deb
      Size/MD5:    11428 d8d1fb1c1a8e1b0f60fafc06a0e2ab07
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-sqlite_5.2.3-1ubuntu6.2_sparc.deb
      Size/MD5:    33264 b5fe644c2419e3336f23ba47301174cb
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-sybase_5.2.3-1ubuntu6.2_sparc.deb
      Size/MD5:    17918 895e4b8d78babe51b656e5c3536542b0
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-tidy_5.2.3-1ubuntu6.2_sparc.deb
      Size/MD5:    16494 18f96996d94c777cf35150ebb7799653
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-xmlrpc_5.2.3-1ubuntu6.2_sparc.deb
      Size/MD5:    36576 fe16a39635b929178778d1df340e8250
    http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-xsl_5.2.3-1ubuntu6.2_sparc.deb
      Size/MD5:    11958 98ceda91197ea9d786f66f43d2fd4c4f


Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ