Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 163559 - CAN-2005-1921,1751 PHP vulerabilities
Summary: CAN-2005-1921,1751 PHP vulerabilities
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora Legacy
Classification: Retired
Component: php
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Fedora Legacy Bugs
QA Contact:
URL:
Whiteboard: LEGACY, 1, 2
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-07-18 21:12 UTC by Marc Deslauriers
Modified: 2007-04-18 17:29 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-07-29 02:16:32 UTC


Attachments (Terms of Use)

Description Marc Deslauriers 2005-07-18 21:12:00 UTC
+++ This bug was initially created as a clone of Bug #162044 +++

A bug has been found in PHP's PEAR XML_RPC server which could allow remote code
execution. This bug allows injection of arbitrary PHP commands into eval()
statements. CAN-2005-1921

CAN-2005-1751:
Race condition in shtool 2.0.1 and earlier allows local users to
create or modify arbitrary files via a symlink attack on the
.shtool.$$ temporary file.
http://www.zataz.net/adviso/shtool-05252005.txt

php contains shtool in its source.

Comment 1 Marc Deslauriers 2005-07-18 21:13:18 UTC
See:
https://rhn.redhat.com/errata/RHSA-2005-564.html

Comment 2 Marc Deslauriers 2005-07-27 03:31:26 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated packages for FC1 and FC2.

a8b69da146f5ddd2c3a3161e5366d027fc35c734  1/php-4.3.11-1.fc1.2.legacy.i386.rpm
16905d23967e6ec5d51b88d629125c648dfd4b2f  1/php-4.3.11-1.fc1.2.legacy.src.rpm
692ab524546dc7156e1b7cddf6f24398906dbf9a  1/php-devel-4.3.11-1.fc1.2.legacy.i386.rpm
a8fa98dbb6683f1c15e2a67ae75c14f0e0337dfd 
1/php-domxml-4.3.11-1.fc1.2.legacy.i386.rpm
396b6850d64e8ad18f8515d4dbdc4f664eb92e05  1/php-imap-4.3.11-1.fc1.2.legacy.i386.rpm
3b564c1bd678b8d5e8e0be4837ac574bf020efb6  1/php-ldap-4.3.11-1.fc1.2.legacy.i386.rpm
61d1246f92ebb085c72aefe94f4df030ec535fc9 
1/php-mbstring-4.3.11-1.fc1.2.legacy.i386.rpm
58eb6de8ecbb1450eb335cc7ec37422e76b33287  1/php-mysql-4.3.11-1.fc1.2.legacy.i386.rpm
56e3c46979b56e08210a94ea0ba9c6753901e36e  1/php-odbc-4.3.11-1.fc1.2.legacy.i386.rpm
aac8d5df2372a3a37268b0e589336e708532335a  1/php-pgsql-4.3.11-1.fc1.2.legacy.i386.rpm
12095677f0f83c50369f6df0bfc5903eb1bd5bd9  1/php-snmp-4.3.11-1.fc1.2.legacy.i386.rpm
29965640f98531fba3bec365b30385c71ef50e9b 
1/php-xmlrpc-4.3.11-1.fc1.2.legacy.i386.rpm
905c3cf1c144af176540521dcf623491c481c464  2/php-4.3.11-1.fc2.3.legacy.i386.rpm
2b38cc3613283b1c133d0cd96c50a07b5400d671  2/php-4.3.11-1.fc2.3.legacy.src.rpm
88045bca6fe08c72c2075ee45fb9de618932d861  2/php-devel-4.3.11-1.fc2.3.legacy.i386.rpm
c81a6d5e7cc61572a12d34c85949e10a0734bf60 
2/php-domxml-4.3.11-1.fc2.3.legacy.i386.rpm
ebb5a0011842f5b0018d60449a4073fcddbf2d4e  2/php-imap-4.3.11-1.fc2.3.legacy.i386.rpm
399adf967a2f896310ee40e50d53e0e65d989c98  2/php-ldap-4.3.11-1.fc2.3.legacy.i386.rpm
47dbbdf1c440b1c8fcc3f19bd3c7db133d16d50b 
2/php-mbstring-4.3.11-1.fc2.3.legacy.i386.rpm
8cbd8b82cb98b904a9bc1b9624a3f85fdae530d0  2/php-mysql-4.3.11-1.fc2.3.legacy.i386.rpm
756d49c0fa0183c60413f39fd5232a9151ff9c9b  2/php-odbc-4.3.11-1.fc2.3.legacy.i386.rpm
fb65cf4fd0c359e5e4c66c5d1227a04144db5ed5  2/php-pear-4.3.11-1.fc2.3.legacy.i386.rpm
4cc597813935a88eb48c5242725a6cdab98cf2bf  2/php-pgsql-4.3.11-1.fc2.3.legacy.i386.rpm
542bc722660d5c67fdecb643f3c3674b902fbe5b  2/php-snmp-4.3.11-1.fc2.3.legacy.i386.rpm
e1db61450601d377b993b2060906999f3211a8b4 
2/php-xmlrpc-4.3.11-1.fc2.3.legacy.i386.rpm

CAN-2005-1751 is not exploitable in PHP. Patch was included for
completeness only.

Earlier releases than FC1 don't seem to be vulnerable to CAN-2005-1921.


fc2 changelog:
* Tue Jul 26 2005 Marc Deslauriers <marcdeslauriers@videotron.ca>
4.3.11-1.fc2.3.legacy
- - add security fixes:
 * shtool temp file handling (CAN-2005-1751)
 * XML_RPC command injection (Stefan Esser, CAN-2005-1921)

fc1 changelog:
* Tue Jul 26 2005 Marc Deslauriers <marcdeslauriers@videotron.ca>
4.3.11-1.fc1.2.legacy
- - add security fixes:
 * shtool temp file handling (CAN-2005-1751)
 * XML_RPC command injection (Stefan Esser, CAN-2005-1921)

Downloads:

fc1 source:
http://www.infostrategique.com/linuxrpms/legacy/1/php-4.3.11-1.fc1.2.legacy.src.rpm
fc1 binaries: http://www.infostrategique.com/linuxrpms/legacy/1/
fc2 source:
http://www.infostrategique.com/linuxrpms/legacy/2/php-4.3.11-1.fc2.3.legacy.src.rpm
fc2 binaries: http://www.infostrategique.com/linuxrpms/legacy/2/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFC5wALLMAs/0C4zNoRAhYAAJ9fz/uLXD5ACMjwDGqkNjcRqw5i6QCdFDaz
PoLMB/sdd67r0lvX0V4kp/o=
=MCyu
-----END PGP SIGNATURE-----


Comment 3 Pekka Savola 2005-07-27 06:11:16 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
QA w/ rpm-build-compare.sh:
 - source integrity good
 - spec file changes minimal (the xmlrpc part from RHEL)
 - shtool patch from RHEL, xmlrpc patch from upstream
 
+PUBLISH FC1, FC2
 
16905d23967e6ec5d51b88d629125c648dfd4b2f  php-4.3.11-1.fc1.2.legacy.src.rpm
2b38cc3613283b1c133d0cd96c50a07b5400d671  php-4.3.11-1.fc2.3.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFC5yVRGHbTkzxSL7QRAp0rAKCGG/CRs/5CbWJg75KAy2SRlzfxswCgzDnQ
XGB/VfJxp1jV/edD3c4gYek=
=xtgQ
-----END PGP SIGNATURE-----


Comment 4 Marc Deslauriers 2005-07-27 21:03:46 UTC
Packages were pushed to updates-testing.

Comment 5 Jeff Sheltren 2005-07-28 04:35:47 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA for FC1 packages:
171656872d0f5824fcb30fcef4309d7fa012d9c5  php-4.3.11-1.fc1.2.legacy.i386.rpm
04f3e47079d7a5240806b4fb26a5d5f1786e838e  php-devel-4.3.11-1.fc1.2.legacy.i386.rpm
b53f067e610d6f312403a30c8ba702d377bad46a  php-domxml-4.3.11-1.fc1.2.legacy.i386.rpm
45a976dde09647657d1db340598ca25403f3875c  php-imap-4.3.11-1.fc1.2.legacy.i386.rpm
cabf9c604343977f0ff2db609e8ed9a85828dce1  php-ldap-4.3.11-1.fc1.2.legacy.i386.rpm
0c31e1138c74bd508c298b547372a7cdf621e8ec 
php-mbstring-4.3.11-1.fc1.2.legacy.i386.rpm
17f9d2c41ae2762eb9d6f4910cfd86f992b96871  php-mysql-4.3.11-1.fc1.2.legacy.i386.rpm
2452bc637bf072d2906e9267a86fae65de4b580e  php-odbc-4.3.11-1.fc1.2.legacy.i386.rpm
483e46c97dce391ec770b7095ce26eb929179b3a  php-pgsql-4.3.11-1.fc1.2.legacy.i386.rpm
f30e91737a2003f853ef783464a735718a3396bf  php-snmp-4.3.11-1.fc1.2.legacy.i386.rpm
e36b3e123516ad54651eb32cfd91af219769f19a  php-xmlrpc-4.3.11-1.fc1.2.legacy.i386.rpm

And for FC2 packages:
cf09a945e599887705e6b3cd0ff31bd6ae5c016c  php-4.3.11-1.fc2.3.legacy.i386.rpm
42d388c0b0245b68809e9d26f38ba45c42065d7c  php-devel-4.3.11-1.fc2.3.legacy.i386.rpm
9a8c40612bc6ae96b8aace4763b3302bfe88f4ac  php-domxml-4.3.11-1.fc2.3.legacy.i386.rpm
0bf81586c0794af8baba6dc407df1894ce5143a5  php-imap-4.3.11-1.fc2.3.legacy.i386.rpm
acf5d4c20689f1de12ca3c00758fd7b9fb10be45  php-ldap-4.3.11-1.fc2.3.legacy.i386.rpm
28698222a4268b9748e2ec22418f030ce8ad68d4 
php-mbstring-4.3.11-1.fc2.3.legacy.i386.rpm
fd9a5a444b8170277bbb94edf2c5cbb2d0b0a0e1  php-mysql-4.3.11-1.fc2.3.legacy.i386.rpm
fcdb53ff36392e98eb8695e3a3a6d7aef382ad18  php-odbc-4.3.11-1.fc2.3.legacy.i386.rpm
778c9b93507a5977ab00f479d6a55ef62e360f0b  php-pear-4.3.11-1.fc2.3.legacy.i386.rpm
29cf0cad08a2735ac26226a2012b8b91f63ca7ba  php-pgsql-4.3.11-1.fc2.3.legacy.i386.rpm
81fca59193d5d2ee72f6960ee8887f82c036f02d  php-snmp-4.3.11-1.fc2.3.legacy.i386.rpm
ef0ab724d7228333d416effbc5f1da250db68fe8  php-xmlrpc-4.3.11-1.fc2.3.legacy.i386.rpm

Packages update cleanly
Signatures are OK
Tested out a few PHP scripts (both command line and w/ web server) everything
worked OK

FC1 VERIFY++
FC2 VERIFY++
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFC6GCHKe7MLJjUbNMRAuCFAJ9EHlv/9mhXrmJ4OnLAVZUf2q9zLQCfazjD
NG2C1BB9qhJjQWsMWyV826Q=
=kQXs
-----END PGP SIGNATURE-----

Comment 6 Pekka Savola 2005-07-28 05:16:03 UTC
That was quick, thanks!

Comment 7 Marc Deslauriers 2005-07-29 02:16:32 UTC
Packages were officially released.


Note You need to log in before you can comment on or make changes to this bug.