|Summary:||CVE-2007-1285 "Month of PHP Bugs" security issues (CVE-2007-1286 CVE-2007-1583 CVE-2007-1711 CVE-2007-1718)|
|Product:||Red Hat Enterprise Linux 4||Reporter:||Joe Orton <jorton>|
|Component:||php||Assignee:||Joe Orton <jorton>|
|Status:||CLOSED ERRATA||QA Contact:||David Lawrence <dkl>|
|Version:||4.0||CC:||bressers, felix.schwarz, gozen, nsoranzo|
|Fixed In Version:||RHSA-2007-0155||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2007-04-16 15:33:05 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
Description Joe Orton 2007-03-01 15:13:20 UTC
Description of problem: This bug will be used to provide tracking information for the issues reported during the "Month of PHP Bugs" initiative, http://www.php-security.org/
Comment 1 Joe Orton 2007-03-01 16:20:47 UTC
Introduction: The PHP interpreter does not offer a reliable "sandboxed" security layer (as found in, say, a JVM) in which untrusted scripts can be run; any script run by the PHP interpreter must be trusted with the privileges of the interpreter itself. In analysis of these issues, bugs which rely on an "untrusted local attacker" will therefore not be classified as being security-sensitive, since no trust boundary is crossed.
Comment 2 Joe Orton 2007-03-01 16:21:13 UTC
MOPB-01-2007 describes an issue in the PHP interpreter regarding the reference counting of variables, which can only be triggered by the author of the script itself. Per the introduction, this bug would not be treated as security-sensitive.
Comment 3 Joe Orton 2007-03-01 16:21:30 UTC
A script which allows unbounded function recursion will eventually cause the interpreter to overflow the process stack and trigger a segmentation fault; this "feature" of the PHP interpreter is under the control of the script author so would not be treated as security-sensitive per the introduction. Since this "feature" has been (repeatedly) reported publically as a "security issue" in the past, it has been assigned a CVE name by MITRE, CVE-2006-1549. MOPB-02-2007 and MOPB-03-2007 both concern the handling of (untrusted) input data which contains deeply-nested arrays. MOPB-02-2007 describes how a script processing such input data in a recursive fashion, without concern for recursion bounds, may crash the interpreter, as described in the previous paragraph. MOPB-03-2007 describes how, on automatic deallocation of a deeply-nested-array variable, the PHP interpreter may itself overflow the process stack and crash. The attack vector here in both cases is the single issue, that PHP allows input arrays of arbitrary nesting; this would be treated as security-sensitive. The impact of this issue is Low; in both paths the consequence of the bug is to segfault a single Apache httpd child process, which will be immediately replaced.
Comment 5 Joe Orton 2007-03-02 15:57:56 UTC
MOPB-04-2007 describes an issue in the PHP unserialize() function in PHP 4.4.x; if this function is used on an untrusted input string, the object reference count can be forced to overflow, which allows the attacker to execute arbitrary code as the PHP user. An input string required to exploit this issue must exceed ~512K in length, so default Apache line length limits will prevent this from being exploited via input data carried in the HTTP request headers or URI. (CVE: none assigned, Impact: Important)
Comment 6 Joe Orton 2007-03-02 15:59:34 UTC
MOPB-05-2007: If unserializing untrusted data on 64-bit platforms the zend_hash_init() function can be forced to enter an infinite loop, consuming CPU resources, for a limited duration of time, until the script timeout alarm aborts the script. Errata fixing this bug have already been issued; see bug 228858. (CVE: CVE-2007-0988; Impact: Moderate)
Comment 8 Joe Orton 2007-03-03 20:58:47 UTC
"BONUS-06-2007" and "BONUS-07-2007" concern issues in the Zend Platform product, which is not distributed in Red Hat Enterpise Linux. MOPB-08-2007 describes a cross-site-scripting issue in the phpinfo() function in certain versions of PHP. Generally, the phpinfo() function should not be used in publically-accessible PHP scripts. (CVE: none assigned; Impact: Low)
Comment 9 Joe Orton 2007-03-05 12:49:41 UTC
MOPB-09-2007 describes an issue in the WDDX extension which was introduced in the PHP CVS development branch, and is not present in any relased version of PHP. MOPB-10-2007 describes an issue in the session extension which allows a heap information leak. Errata fixing this bug have already been issued; see bug 228858. MOPB-11-2007 describes an issue in the WDDX extension which allowed a heap information leak. Errata fixing this bug have already been issued; see bug 228858.
Comment 10 Joe Orton 2007-03-06 16:30:09 UTC
BONUS-12-2007 describes an issue in mod_security, which is not distributed in Red Hat Enterprise Linux. MOPB-13-2007 describes an issue in the "ovrimos" extension, which is not included in the PHP package distributed in Red Hat Enterpise Linux.
Comment 12 Joe Orton 2007-03-07 13:54:07 UTC
Update: MOPB-08-2007 was a regression introduced with the fix for CVE-2006-0996 added in PHP 4.4.3, and has been assigned CVE-2007-1287. This regression was not present in the patch used to fix CVE-2006-0996 in Red Hat Enterprise Linux.
Comment 14 Joe Orton 2007-03-08 15:49:47 UTC
MOPB-14-2007 describes an integer overflow in the substr_compare() function. This function is not present in the versions of PHP distributed in Red Hat Enterprise Linux v2.1, v3 or v4. MOPB-15-2007 describes input validation bugs in the shmop extension. These bugs could only be triggered by the author of the PHP script, so would not be treated as security-sensitive per comment 1.
Comment 15 Joe Orton 2007-03-12 09:56:17 UTC
MOPB-16-2007 describes a bug in the "zip" extension. MOPB-17-2007, MOPB-18-2007, and MOPB-19-2007 all describe bugs in the "filter" extension". The "filter" and "zip" extensions are not distributed in Red Hat Enterprise Linux.
Comment 16 Lubomir Kundrak 2007-03-12 18:29:10 UTC
MOPB-01-2007 CVE-2007-1383 MOPB-09-2007 CVE-2007-1381 MOPB-10-2007 CVE-2007-1380 MOPB-14-2007 CVE-2007-1375 MOPB-15-2007 CVE-2007-1376
Comment 18 Joe Orton 2007-03-14 09:58:10 UTC
Comment 20 Lubomir Kundrak 2007-03-15 11:08:48 UTC
MOPB-17-2007 CVE-2007-1452 MOPB-18-2007 CVE-2007-1454 MOPB-19-2007 CVE-2007-1453 MOPB-20-2007 CVE-2007-1460 MOPB-21-2007 CVE-2007-1461
Comment 23 Joe Orton 2007-03-20 16:31:36 UTC
MOPB-22-2007 and MOPB-23-2007 describe bugs in the session extension; there are no known methods to trigger these bugs remotely. MOPB-24-2007 describes a bug in the array_user_key_compare() which can only be triggered by a script author. These bugs are not classified as security-sensitive per comment 1. MOPB-25-2007 describes a bug in the header() function which is unlikely to be possible to trigger remotely, and is unlikely to have any effect on most platforms. Errata have already been issued fixing this bug: see http://rhn.redhat.com/errata/CVE-2007-0907.html MOPB-26-2007 describes a bug in the mbstring extension which may a remote attacker to enable the "register_globals" setting for the lifetime of an httpd child process, if the mb_parse_string() is used to process untrusted script input of a length which can force the default memory_limit to be exhausted. (CVE: none assigned; Impact: Low) MOPB-27-2007 describes a bug in the gd extension which can only be triggered by the script author. This bug is not classified as security-sensitive per comment 1.
Comment 24 Joe Orton 2007-03-21 09:26:06 UTC
MOPB-28-2007 describes a bug in the use of user-defined stream handles which can only be triggered by the script author. This bug is not classified as security-sensitive per comment 1.
Comment 25 Lubomir Kundrak 2007-03-21 13:01:57 UTC
MOPB-22-2007 CVE-2007-1521 MOPB-23-2007 CVE-2007-1522
Comment 26 Lubomir Kundrak 2007-03-22 20:23:38 UTC
CVE-2007-1584 php MOPB-25-2007 CVE-2007-1583 php MOPB-26-2007 CVE-2007-1582 php MOPB-27-2007 CVE-2007-1581 php MOPB-28-2007
Comment 27 Joe Orton 2007-03-23 09:23:47 UTC
MOPB-29-2007 describes an issue in the unserialize() function introduced in the PHP 5.2.1 release, which does not affect the versions of PHP shipped in Red Hat Enterprise Linux.
Comment 29 Lubomir Kundrak 2007-03-27 15:52:29 UTC
MOPB-29-2007 CVE-2007-1649 MOPB-30-2007 CVE-2007-1700 MOPB-31-2007 CVE-2007-1701
Comment 30 Joe Orton 2007-03-27 16:13:32 UTC
MOPB-30-2007 describes a bug in the session extension which can only be triggered by the script author. MOPB-31-2007 describes a bug in the session extension which allows super-globals to be over-ridden by an attacker, if session data is taken from an untrusted source. Errata have already been issued fixing this bug: see http://rhn.redhat.com/errata/CVE-2007-0910.html MOPB-32-2007 describes a regression in the fix used for MOPB-31-2007 which may allow an remote attacker to execute arbitrary code as the "apache" user, if session data is taken from an untrusted source. (CVE: none assigned; Impact: Important)
Comment 32 Lubomir Kundrak 2007-03-28 10:13:15 UTC
MOPB-33-2007 CVE-2007-1717 MOPB-34-2007 CVE-2007-1718
Comment 34 Joe Orton 2007-03-29 10:20:29 UTC
MOPB-35-2007 describes a bug in the "zip" extension, which is not distributed in Red Hat Enterprise Linux. MOPB-36-2007 describes a bug in the "open_basedir" feature, which is not classified as security-sensitive per comment 1; see also bug 169857.
Comment 35 Joe Orton 2007-03-29 10:33:58 UTC
MOPB-33-2007 describes a bug in the mail() function which has no security impact. MOPB-34-2007 describes a bug in the mail() function which allows a remote attacker to inject arbitrary headers into generated mail, if the "subject" parameter passed to the function uses untrusted (and unsanitized) script input; this may allow the attacker to force the script to send bulk e-mail to unintended recipients. (CVE-2007-1718, Impact: Low)
Comment 36 Joe Orton 2007-03-30 07:35:16 UTC
MOPB-37-2007 describes a bug in the Zend interpreter which can only be triggered by the script author. This bug is not classified as security-sensitive per comment 1.
Comment 37 Joe Orton 2007-04-02 14:17:38 UTC
MOPB-38-2007 describes an issue in the printf() function which can only be triggered by the script author. MOPB-39-2007 describes an integer overflow the str_replace() function, which can be triggered remotely if a script passes large untrusted strings to the third and fourth arguments of this function. Errata fixing this bug have already been issued: http://rhn.redhat.com/errata/CVE-2007-0907.html. The off-by-one bug used in the initial fix committed upstream did not affect the patch used in Red Hat Enterprise Linux.
Comment 38 Joe Orton 2007-04-02 15:38:58 UTC
MOPB-40-2007 describes a heap overflow in the imap_mail_compose() function. Errata fixing this bug have already been fixed; see http://rhn.redhat.com/errata/CVE-2007-0906.html. MOPB-41-2007 describes a bug in the sqlite2 library, a copy of which is bundled in the "sqlite" extension included in the PHP source code. Neither the "sqlite" extension nor the sqlite2 library are distributed in Red Hat Enterprise Linux.
Comment 39 Joe Orton 2007-04-02 15:43:18 UTC
MOPB-42-2007 describes a bug in the handling of stream filters, which should only be possible to be triggered by the script author. MOPB-43-2007 describes a bug in the msg_receive() function provided by the "sysvmsg" extension. This bug can only be triggered by the script author. MOPB-44-2007 describes a bug in the PHP 5.2 Zend Memory Manager, which does not affect earlier versions of PHP.
Comment 41 Mark J. Cox 2007-04-03 12:48:48 UTC
So the summary at the end of MOPB, the following unfixed issues that we class as security impact: CVE-2007-1285 MOPB-03-2007 impact=low,public=20070301 CVE-2007-1286 MOPB-04-2007 impact=important,public=20070302 CVE-2007-1583 MOPB-26-2007 impact=low,public=20030720 CVE-2007-1711 MOPB-32-2007 impact=important,public=20070325
Comment 42 Lubomir Kundrak 2007-04-03 18:15:01 UTC
MOPB-36-2007 CVE-2007-1835 MOPB-42-2007 CVE-2007-1824 MOPB-40-2007 CVE-2007-1825
Comment 43 Joe Orton 2007-04-04 09:29:19 UTC
An unfixed issue in addition to the above summary: CVE-2007-1718 MOPB-34-2007 impact=low,public=20070326
Comment 44 Lubomir Kundrak 2007-04-06 06:22:37 UTC
MOPB-37-2007 CVE-2007-1883 MOPB-38-2007 CVE-2007-1884 MOPB-39-2007 CVE-2007-1885 MOPB-39-2007 CVE-2007-1886 MOPB-41-2007 CVE-2007-1887 MOPB-41-2007 CVE-2007-1888 MOPB-43-2007 CVE-2007-1883 MOPB-44-2007 CVE-2007-1883 MOPB-43-2007 CVE-2007-1890
Comment 47 Mark J. Cox 2007-04-16 08:10:47 UTC
Here is complete mapping for the month, double verified against CVE db. MOPB-01-2007 CVE-2007-1383 MOPB-02-2007 CVE-2006-1549 MOPB-03-2007 CVE-2007-1285 MOPB-04-2007 CVE-2007-1286 MOPB-05-2007 CVE-2007-0988 BONUS-06-2007 CVE-2007-1370 BONUS-07-2007 CVE-2007-1369 MOPB-08-2007 CVE-2007-1287 MOPB-09-2007 CVE-2007-1381 MOPB-10-2007 CVE-2007-1380 MOPB-11-2007 CVE-2006-0908 BONUS-12-2007 CVE-2007-1359 MOPB-13-2007 CVE-2007-1378 CVE-2007-1379 MOPB-14-2007 CVE-2007-1375 MOPB-15-2007 CVE-2007-1376 MOPB-16-2007 CVE-2007-1399 MOPB-17-2007 CVE-2007-1452 MOPB-18-2007 CVE-2007-1454 MOPB-19-2007 CVE-2007-1453 MOPB-20-2007 CVE-2007-1460 MOPB-21-2007 CVE-2007-1461 MOPB-22-2007 CVE-2007-1521 MOPB-23-2007 CVE-2007-1522 MOPB-24-2007 CVE-2007-1484 MOPB-25-2007 CVE-2007-1584 MOPB-26-2007 CVE-2007-1583 MOPB-27-2007 CVE-2007-1582 MOPB-28-2007 CVE-2007-1581 MOPB-29-2007 CVE-2007-1649 MOPB-30-2007 CVE-2007-1700 MOPB-31-2007 CVE-2007-1701 MOPB-32-2007 CVE-2007-1711 MOPB-33-2007 CVE-2007-1717 MOPB-34-2007 CVE-2007-1718 MOPB-35-2007 CVE-2007-1777 MOPB-36-2007 CVE-2007-1835 MOPB-37-2007 CVE-2007-1883 MOPB-38-2007 CVE-2007-1884 MOPB-39-2007 CVE-2007-1885 CVE-2007-1886 MOPB-40-2007 CVE-2007-1825 MOPB-41-2007 CVE-2007-1887 CVE-2007-1888 MOPB-42-2007 CVE-2007-1824 MOPB-43-2007 CVE-2007-1889 CVE-2007-1890 MOPB-44-2007 CVE-2007-1889 MOPB-45-2007 CVE-2007-1900
Comment 50 Red Hat Bugzilla 2007-04-16 15:33:05 UTC
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2007-0155.html