[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20071204034553.GQ8789@outflux.net>
Date: Mon, 3 Dec 2007 19:45:53 -0800
From: Kees Cook <kees@...ntu.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-549-2] PHP regression
===========================================================
Ubuntu Security Notice USN-549-2 December 03, 2007
php5 regression
https://launchpad.net/bugs/173043
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 7.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 7.10:
libapache2-mod-php5 5.2.3-1ubuntu6.2
php5-cgi 5.2.3-1ubuntu6.2
php5-cli 5.2.3-1ubuntu6.2
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
USN-549-1 fixed vulnerabilities in PHP. However, some upstream changes
were incomplete, which caused crashes in certain situations with Ubuntu
7.10. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
It was discovered that the wordwrap function did not correctly
check lengths. Remote attackers could exploit this to cause
a crash or monopolize CPU resources, resulting in a denial of
service. (CVE-2007-3998)
Integer overflows were discovered in the strspn and strcspn functions.
Attackers could exploit this to read arbitrary areas of memory, possibly
gaining access to sensitive information. (CVE-2007-4657)
Stanislav Malyshev discovered that money_format function did not correctly
handle certain tokens. If a PHP application were tricked into processing
a bad format string, a remote attacker could execute arbitrary code with
application privileges. (CVE-2007-4658)
It was discovered that the php_openssl_make_REQ function did not
correctly check buffer lengths. A remote attacker could send a
specially crafted message and execute arbitrary code with application
privileges. (CVE-2007-4662)
It was discovered that certain characters in session cookies were not
handled correctly. A remote attacker could injection values which could
lead to altered application behavior, potentially gaining additional
privileges. (CVE-2007-3799)
Gerhard Wagner discovered that the chunk_split function did not
correctly handle long strings. A remote attacker could exploit this
to execute arbitrary code with application privileges. (CVE-2007-2872,
CVE-2007-4660, CVE-2007-4661)
Stefan Esser discovered that deeply nested arrays could be made to
fill stack space. A remote attacker could exploit this to cause a
crash or monopolize CPU resources, resulting in a denial of service.
(CVE-2007-1285, CVE-2007-4670)
Rasmus Lerdorf discovered that the htmlentities and htmlspecialchars
functions did not correctly stop when handling partial multibyte
sequences. A remote attacker could exploit this to read certain areas of
memory, possibly gaining access to sensitive information. (CVE-2007-5898)
It was discovered that the output_add_rewrite_var fucntion would
sometimes leak session id information to forms targeting remote URLs.
Malicious remote sites could use this information to gain access to a
PHP application user's login credentials. (CVE-2007-5899)
Updated packages for Ubuntu 7.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5_5.2.3-1ubuntu6.2.diff.gz
Size/MD5: 126545 02fbb9e80b615dc9a718d60c9367538a
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5_5.2.3-1ubuntu6.2.dsc
Size/MD5: 1921 d8aec3af9962e69e67bc7ae6bfa31537
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5_5.2.3.orig.tar.gz
Size/MD5: 9341653 df79b04d63fc4c1ccb6d8ea58a9cf3ac
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php-pear_5.2.3-1ubuntu6.2_all.deb
Size/MD5: 351400 62ead0de4a2ea48ca87be08b0448f5ab
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5_5.2.3-1ubuntu6.2_all.deb
Size/MD5: 1082 77c1c2ec676628707caf5588962f0f45
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/p/php5/libapache2-mod-php5_5.2.3-1ubuntu6.2_amd64.deb
Size/MD5: 2669448 95ae60da41ef7b4594f86ff5264a13d4
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-cgi_5.2.3-1ubuntu6.2_amd64.deb
Size/MD5: 5190794 1758c00b1b859342f5c3e73e5e867bbd
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-cli_5.2.3-1ubuntu6.2_amd64.deb
Size/MD5: 2617924 b4bda6f34586d6c8887cb2c10079ea76
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-common_5.2.3-1ubuntu6.2_amd64.deb
Size/MD5: 222450 67e1f5d10721cad22936f0068211a3c7
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-curl_5.2.3-1ubuntu6.2_amd64.deb
Size/MD5: 24778 811ec34d4ea460b00fac5bdb16e9b8f5
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-dev_5.2.3-1ubuntu6.2_amd64.deb
Size/MD5: 355046 dfb88072d5b404ee353f4af63ae9ebb2
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-gd_5.2.3-1ubuntu6.2_amd64.deb
Size/MD5: 37826 6c17e662bb7a6b2c525a705d91fa65d5
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-ldap_5.2.3-1ubuntu6.2_amd64.deb
Size/MD5: 19948 753ec86c6795479bc0891ca9c0670b91
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-mhash_5.2.3-1ubuntu6.2_amd64.deb
Size/MD5: 5516 66519e995a609455868d5ad23e927221
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-mysql_5.2.3-1ubuntu6.2_amd64.deb
Size/MD5: 73880 afcde53c84b70c2f9882d6c319f0ca6c
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-odbc_5.2.3-1ubuntu6.2_amd64.deb
Size/MD5: 37356 ee6186620f7ee27b153c5104db3fa541
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-pgsql_5.2.3-1ubuntu6.2_amd64.deb
Size/MD5: 55904 99be8556d41e3561a25e24c281d0a11b
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-pspell_5.2.3-1ubuntu6.2_amd64.deb
Size/MD5: 9642 c3295facb9fa364802abb6857f46f63d
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-recode_5.2.3-1ubuntu6.2_amd64.deb
Size/MD5: 4996 455b57531d167ecc89555e6e1f5605de
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-snmp_5.2.3-1ubuntu6.2_amd64.deb
Size/MD5: 12352 fdca6404e8a8621fa702f1866e46751a
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-sqlite_5.2.3-1ubuntu6.2_amd64.deb
Size/MD5: 39482 55d7eb36b22298c3cae3305ea6e210f4
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-sybase_5.2.3-1ubuntu6.2_amd64.deb
Size/MD5: 19824 8d13dfe918c0cea9d41fae314e22452d
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-tidy_5.2.3-1ubuntu6.2_amd64.deb
Size/MD5: 17880 9ab41423658fbff93ae9c9012400d8ac
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-xmlrpc_5.2.3-1ubuntu6.2_amd64.deb
Size/MD5: 40808 eb5b2070dab4107f00e8e7475eab2b14
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-xsl_5.2.3-1ubuntu6.2_amd64.deb
Size/MD5: 13368 8dc3c21c551572a5187341fe7f9368a4
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/p/php5/libapache2-mod-php5_5.2.3-1ubuntu6.2_i386.deb
Size/MD5: 2542558 0fa871af840de95357d417e81b1bde12
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-cgi_5.2.3-1ubuntu6.2_i386.deb
Size/MD5: 5024704 4d076101de583289f74b472f66a3d321
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-cli_5.2.3-1ubuntu6.2_i386.deb
Size/MD5: 2530522 a45f9fae50da18f4455a55c166b73f0a
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-common_5.2.3-1ubuntu6.2_i386.deb
Size/MD5: 218722 5c3bc75d5873441488fd0c8f65c2b53f
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-curl_5.2.3-1ubuntu6.2_i386.deb
Size/MD5: 23598 a04e61affc316a84891bad58ee0eddbd
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-dev_5.2.3-1ubuntu6.2_i386.deb
Size/MD5: 355044 94e2c641392ac5ae29e237c5132382f7
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-gd_5.2.3-1ubuntu6.2_i386.deb
Size/MD5: 33490 0afcb138e970ca9d10dc1d754470494e
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-ldap_5.2.3-1ubuntu6.2_i386.deb
Size/MD5: 17970 b0258ea33e7642deb82aaead60a0e978
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-mhash_5.2.3-1ubuntu6.2_i386.deb
Size/MD5: 5194 49596e1453c3131e06af3e045a623977
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-mysql_5.2.3-1ubuntu6.2_i386.deb
Size/MD5: 65216 80135f11d58a1c872d4d60989baedf48
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-odbc_5.2.3-1ubuntu6.2_i386.deb
Size/MD5: 34432 29f2821eafc5fbf46a6e8ca4feec1970
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-pgsql_5.2.3-1ubuntu6.2_i386.deb
Size/MD5: 51304 e66d6510daaaa6b4a6d4b64a5f7a0a60
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-pspell_5.2.3-1ubuntu6.2_i386.deb
Size/MD5: 8700 a594aa7f95afa110e83e529b97aa2f40
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-recode_5.2.3-1ubuntu6.2_i386.deb
Size/MD5: 4774 5a766568c97f65f2be95c60f4a57bda9
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-snmp_5.2.3-1ubuntu6.2_i386.deb
Size/MD5: 11562 a663a6acf219a33af357f78c70c6b89d
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-sqlite_5.2.3-1ubuntu6.2_i386.deb
Size/MD5: 34496 ab97a8b5c2b87c89517c6372907e4223
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-sybase_5.2.3-1ubuntu6.2_i386.deb
Size/MD5: 18134 9b97f35dd2cf631b8d4d407b802e09ba
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-tidy_5.2.3-1ubuntu6.2_i386.deb
Size/MD5: 16348 061fc0d3060ab441b7319608d7968ac6
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-xmlrpc_5.2.3-1ubuntu6.2_i386.deb
Size/MD5: 37722 9d9eba9fd632f8d473ed095e17ad6d57
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-xsl_5.2.3-1ubuntu6.2_i386.deb
Size/MD5: 12402 355d6a8d187b53704d169ac2527b51a3
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/p/php5/libapache2-mod-php5_5.2.3-1ubuntu6.2_powerpc.deb
Size/MD5: 2742574 b90d20abf4b71b58d67902f0904e3f54
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-cgi_5.2.3-1ubuntu6.2_powerpc.deb
Size/MD5: 5270574 67c8541045c90489d495ce234f6e1ffb
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-cli_5.2.3-1ubuntu6.2_powerpc.deb
Size/MD5: 2654246 f27259c7b3841e50bf3c86dc782b20f0
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-common_5.2.3-1ubuntu6.2_powerpc.deb
Size/MD5: 225816 31458de4e7c9177f0138973fc0d5b25b
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-curl_5.2.3-1ubuntu6.2_powerpc.deb
Size/MD5: 28060 86f7e5fad55a12472c985c32f743f015
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-dev_5.2.3-1ubuntu6.2_powerpc.deb
Size/MD5: 355080 fecb9665cbde35a8518b600cdf205fb4
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-gd_5.2.3-1ubuntu6.2_powerpc.deb
Size/MD5: 39110 adc0322de702ada2e0b80e490e417685
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-ldap_5.2.3-1ubuntu6.2_powerpc.deb
Size/MD5: 21724 edc5f9999abac743ecc66592cecf3767
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-mhash_5.2.3-1ubuntu6.2_powerpc.deb
Size/MD5: 7640 6377891afce3ee5b592c32cc95b42f95
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-mysql_5.2.3-1ubuntu6.2_powerpc.deb
Size/MD5: 78026 47fd399637c816e4a4206f76cd9d8afc
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-odbc_5.2.3-1ubuntu6.2_powerpc.deb
Size/MD5: 40974 641321c2fb3f5b8de7d772f3eeba46bc
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-pgsql_5.2.3-1ubuntu6.2_powerpc.deb
Size/MD5: 59574 58b072639918acd35515d8eceb76971d
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-pspell_5.2.3-1ubuntu6.2_powerpc.deb
Size/MD5: 11248 4e667071c4471a24ecae795485aa3655
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-recode_5.2.3-1ubuntu6.2_powerpc.deb
Size/MD5: 7172 1d98c91eafdf94442f8e4efddcbc0946
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-snmp_5.2.3-1ubuntu6.2_powerpc.deb
Size/MD5: 14118 6fc7790c62b8a7ae231a974271ce40f5
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-sqlite_5.2.3-1ubuntu6.2_powerpc.deb
Size/MD5: 42674 53a718dcd9cebd06054ca7bcba4b31c6
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-sybase_5.2.3-1ubuntu6.2_powerpc.deb
Size/MD5: 21860 b210d78bfc0a04fa53f45b901ad3158e
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-tidy_5.2.3-1ubuntu6.2_powerpc.deb
Size/MD5: 20138 a5b73e99fe5320576a0ade3b9aca0cd4
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-xmlrpc_5.2.3-1ubuntu6.2_powerpc.deb
Size/MD5: 43136 29eb3af8e346b10ae0c150406e16b996
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-xsl_5.2.3-1ubuntu6.2_powerpc.deb
Size/MD5: 15466 e1e046bc8e77d9237038abce92763c74
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/p/php5/libapache2-mod-php5_5.2.3-1ubuntu6.2_sparc.deb
Size/MD5: 2576838 4eb1b61129d7191fa5f9a8186a3eb545
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-cgi_5.2.3-1ubuntu6.2_sparc.deb
Size/MD5: 5020902 a74c4167bd3c9072b62c8e8d4ac40eb9
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-cli_5.2.3-1ubuntu6.2_sparc.deb
Size/MD5: 2529358 790f9b28adf0a84e1f5fe8421fb9c5c6
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-common_5.2.3-1ubuntu6.2_sparc.deb
Size/MD5: 218684 d3becd4261e09cdecbcdb17a2c28df2d
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-curl_5.2.3-1ubuntu6.2_sparc.deb
Size/MD5: 24486 c0eb7ca78a301b561175403f8a72f1a5
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-dev_5.2.3-1ubuntu6.2_sparc.deb
Size/MD5: 355090 4aba6b1a9c1cbe55e43ba0cd2e281740
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-gd_5.2.3-1ubuntu6.2_sparc.deb
Size/MD5: 34328 d002fe95e04fa7d471a401d29d18521f
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-ldap_5.2.3-1ubuntu6.2_sparc.deb
Size/MD5: 17966 74f9b87291910eccdd06138619c27dc8
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-mhash_5.2.3-1ubuntu6.2_sparc.deb
Size/MD5: 5070 cf33fa098810fe83e872c6156933b410
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-mysql_5.2.3-1ubuntu6.2_sparc.deb
Size/MD5: 64752 c92758c6d14df97dfcb57d7aa2d6c243
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-odbc_5.2.3-1ubuntu6.2_sparc.deb
Size/MD5: 32858 23ff82df0be4350ae39a0602e41bfe3e
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-pgsql_5.2.3-1ubuntu6.2_sparc.deb
Size/MD5: 50136 10970c45c6d1f679d478c781881d4adb
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-pspell_5.2.3-1ubuntu6.2_sparc.deb
Size/MD5: 8620 899ac45be91a8ffa5630c99bf91fe059
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-recode_5.2.3-1ubuntu6.2_sparc.deb
Size/MD5: 4754 101ac244742ef3c43d95ab1ccd5a0262
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-snmp_5.2.3-1ubuntu6.2_sparc.deb
Size/MD5: 11428 d8d1fb1c1a8e1b0f60fafc06a0e2ab07
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-sqlite_5.2.3-1ubuntu6.2_sparc.deb
Size/MD5: 33264 b5fe644c2419e3336f23ba47301174cb
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-sybase_5.2.3-1ubuntu6.2_sparc.deb
Size/MD5: 17918 895e4b8d78babe51b656e5c3536542b0
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-tidy_5.2.3-1ubuntu6.2_sparc.deb
Size/MD5: 16494 18f96996d94c777cf35150ebb7799653
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-xmlrpc_5.2.3-1ubuntu6.2_sparc.deb
Size/MD5: 36576 fe16a39635b929178778d1df340e8250
http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-xsl_5.2.3-1ubuntu6.2_sparc.deb
Size/MD5: 11958 98ceda91197ea9d786f66f43d2fd4c4f
Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists