Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 230556 (mopb) - CVE-2007-1285 "Month of PHP Bugs" security issues (CVE-2007-1286 CVE-2007-1583 CVE-2007-1711 CVE-2007-1718)
Summary: CVE-2007-1285 "Month of PHP Bugs" security issues (CVE-2007-1286 CVE-2007-158...
Keywords:
Status: CLOSED ERRATA
Alias: mopb
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: php
Version: 4.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Joe Orton
QA Contact: David Lawrence
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-03-01 15:13 UTC by Joe Orton
Modified: 2007-11-30 22:07 UTC (History)
4 users (show)

Fixed In Version: RHSA-2007-0155
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-04-16 15:33:05 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2007:0155 normal SHIPPED_LIVE Important: php security update 2007-04-16 15:33:01 UTC

Description Joe Orton 2007-03-01 15:13:20 UTC
Description of problem:
This bug will be used to provide tracking information for the issues reported
during the "Month of PHP Bugs" initiative, http://www.php-security.org/

Comment 1 Joe Orton 2007-03-01 16:20:47 UTC
Introduction: The PHP interpreter does not offer a reliable
"sandboxed" security layer (as found in, say, a JVM) in which
untrusted scripts can be run; any script run by the PHP interpreter
must be trusted with the privileges of the interpreter itself.  In
analysis of these issues, bugs which rely on an "untrusted local
attacker" will therefore not be classified as being
security-sensitive, since no trust boundary is crossed.

Comment 2 Joe Orton 2007-03-01 16:21:13 UTC
MOPB-01-2007 describes an issue in the PHP interpreter regarding the
reference counting of variables, which can only be triggered by the
author of the script itself.  Per the introduction, this bug would not
be treated as security-sensitive.

Comment 3 Joe Orton 2007-03-01 16:21:30 UTC
A script which allows unbounded function recursion will eventually
cause the interpreter to overflow the process stack and trigger a
segmentation fault; this "feature" of the PHP interpreter is under the
control of the script author so would not be treated as
security-sensitive per the introduction.  Since this "feature" has
been (repeatedly) reported publically as a "security issue" in the
past, it has been assigned a CVE name by MITRE, CVE-2006-1549.

MOPB-02-2007 and MOPB-03-2007 both concern the handling of (untrusted)
input data which contains deeply-nested arrays. MOPB-02-2007 describes
how a script processing such input data in a recursive fashion,
without concern for recursion bounds, may crash the interpreter, as
described in the previous paragraph. MOPB-03-2007 describes how, on
automatic deallocation of a deeply-nested-array variable, the PHP
interpreter may itself overflow the process stack and crash.

The attack vector here in both cases is the single issue, that PHP
allows input arrays of arbitrary nesting; this would be treated as
security-sensitive.  The impact of this issue is Low; in both paths
the consequence of the bug is to segfault a single Apache httpd child
process, which will be immediately replaced.


Comment 5 Joe Orton 2007-03-02 15:57:56 UTC
MOPB-04-2007 describes an issue in the PHP unserialize() function in
PHP 4.4.x; if this function is used on an untrusted input string, the
object reference count can be forced to overflow, which allows the
attacker to execute arbitrary code as the PHP user.  An input string
required to exploit this issue must exceed ~512K in length, so default
Apache line length limits will prevent this from being exploited via input
data carried in the HTTP request headers or URI.

(CVE: none assigned, Impact: Important)

Comment 6 Joe Orton 2007-03-02 15:59:34 UTC
MOPB-05-2007: If unserializing untrusted data on 64-bit platforms the
zend_hash_init() function can be forced to enter an infinite loop,
consuming CPU resources, for a limited duration of time, until the
script timeout alarm aborts the script.

Errata fixing this bug have already been issued; see bug 228858.

(CVE: CVE-2007-0988; Impact: Moderate)


Comment 8 Joe Orton 2007-03-03 20:58:47 UTC
"BONUS-06-2007" and "BONUS-07-2007" concern issues in the Zend Platform product,
which is not distributed in Red Hat Enterpise Linux.

MOPB-08-2007 describes a cross-site-scripting issue in the phpinfo() function in
certain versions of PHP.  Generally, the phpinfo() function should not be used
in publically-accessible PHP scripts.

(CVE: none assigned; Impact: Low)

Comment 9 Joe Orton 2007-03-05 12:49:41 UTC
MOPB-09-2007 describes an issue in the WDDX extension which was introduced in
the PHP CVS development branch, and is not present in any relased version of PHP.

MOPB-10-2007 describes an issue in the session extension which allows a heap
information leak.  Errata fixing this bug have already been issued; see bug 228858.

MOPB-11-2007 describes an issue in the WDDX extension which allowed a heap
information leak.  Errata fixing this bug have already been issued; see bug 228858.

Comment 10 Joe Orton 2007-03-06 16:30:09 UTC
BONUS-12-2007 describes an issue in mod_security, which is not distributed in
Red Hat Enterprise Linux.

MOPB-13-2007 describes an issue in the "ovrimos" extension, which is not
included in the PHP package distributed in Red Hat Enterpise Linux.

Comment 12 Joe Orton 2007-03-07 13:54:07 UTC
Update: MOPB-08-2007 was a regression introduced with the fix for CVE-2006-0996
added in PHP 4.4.3, and has been assigned CVE-2007-1287.  This regression was not
present in the patch used to fix CVE-2006-0996 in Red Hat Enterprise Linux.

Comment 14 Joe Orton 2007-03-08 15:49:47 UTC
MOPB-14-2007 describes an integer overflow in the substr_compare() function. 
This function is not present in the versions of PHP distributed in Red Hat
Enterprise Linux v2.1, v3 or v4.

MOPB-15-2007 describes input validation bugs in the shmop extension.  These bugs
could only be triggered by the author of the PHP script, so would not be treated
as security-sensitive per comment 1.

Comment 15 Joe Orton 2007-03-12 09:56:17 UTC
MOPB-16-2007 describes a bug in the "zip" extension.  MOPB-17-2007,
MOPB-18-2007, and MOPB-19-2007 all describe bugs in the "filter" extension". 
The "filter" and "zip" extensions are not distributed in Red Hat Enterprise Linux.

Comment 16 Lubomir Kundrak 2007-03-12 18:29:10 UTC
MOPB-01-2007 CVE-2007-1383
MOPB-09-2007 CVE-2007-1381
MOPB-10-2007 CVE-2007-1380
MOPB-14-2007 CVE-2007-1375
MOPB-15-2007 CVE-2007-1376

Comment 17 Lubomir Kundrak 2007-03-12 18:29:50 UTC
MOPB-16-2007 CVE-2007-1399

Comment 18 Joe Orton 2007-03-14 09:58:10 UTC
MOPB-20-2007 and MOPB-21-2007 describe "safe_mode"/"open_basedir" bugs in the
"zip" and "bz2" extensions; this type of bug is not classified as
security-sensitive per comment 1; see also bug 169857.  (The "zip" extension is
not distributed in Red Hat Enterprise Linux v2, v3, or v4)

Comment 20 Lubomir Kundrak 2007-03-15 11:08:48 UTC
MOPB-17-2007 CVE-2007-1452
MOPB-18-2007 CVE-2007-1454
MOPB-19-2007 CVE-2007-1453
MOPB-20-2007 CVE-2007-1460
MOPB-21-2007 CVE-2007-1461

Comment 21 Lubomir Kundrak 2007-03-19 21:33:28 UTC
MOPB-24-2007 CVE-2007-1484

Comment 23 Joe Orton 2007-03-20 16:31:36 UTC
MOPB-22-2007 and MOPB-23-2007 describe bugs in the session extension; there are
no known methods to trigger these bugs remotely.  MOPB-24-2007 describes a bug
in the array_user_key_compare() which can only be triggered by a script author.
 These bugs are not classified as security-sensitive per comment 1.

MOPB-25-2007 describes a bug in the header() function which is unlikely to be
possible to trigger remotely, and is unlikely to have any effect on most
platforms.  Errata have already been issued fixing this bug: see
http://rhn.redhat.com/errata/CVE-2007-0907.html

MOPB-26-2007 describes a bug in the mbstring extension which may a remote
attacker to enable the "register_globals" setting for the lifetime of an httpd
child process, if the mb_parse_string() is used to process untrusted script
input of a length which can force the default memory_limit to be exhausted. 
(CVE: none assigned; Impact: Low)

MOPB-27-2007 describes a bug in the gd extension which can only be triggered by
the script author.  This bug is not classified as security-sensitive per comment 1.

Comment 24 Joe Orton 2007-03-21 09:26:06 UTC
MOPB-28-2007 describes a bug in the use of user-defined stream handles which can
only be triggered by the script author.  This bug is not classified as
security-sensitive per comment 1.

Comment 25 Lubomir Kundrak 2007-03-21 13:01:57 UTC
MOPB-22-2007 CVE-2007-1521
MOPB-23-2007 CVE-2007-1522

Comment 26 Lubomir Kundrak 2007-03-22 20:23:38 UTC
CVE-2007-1584 php MOPB-25-2007
CVE-2007-1583 php MOPB-26-2007
CVE-2007-1582 php MOPB-27-2007
CVE-2007-1581 php MOPB-28-2007


Comment 27 Joe Orton 2007-03-23 09:23:47 UTC
MOPB-29-2007 describes an issue in the unserialize() function introduced in the
PHP 5.2.1 release, which does not affect the versions of PHP shipped in Red Hat
Enterprise Linux.

Comment 29 Lubomir Kundrak 2007-03-27 15:52:29 UTC
MOPB-29-2007 CVE-2007-1649
MOPB-30-2007 CVE-2007-1700
MOPB-31-2007 CVE-2007-1701


Comment 30 Joe Orton 2007-03-27 16:13:32 UTC
MOPB-30-2007 describes a bug in the session extension which can only be
triggered by the script author.

MOPB-31-2007 describes a bug in the session extension which allows super-globals
to be over-ridden by an attacker, if session data is taken from an untrusted
source.  Errata have already been issued fixing this bug: see
http://rhn.redhat.com/errata/CVE-2007-0910.html

MOPB-32-2007 describes a regression in the fix used for MOPB-31-2007 which may
allow an remote attacker to execute arbitrary code as the "apache" user, if
session data is taken from an untrusted source.  (CVE: none assigned; Impact:
Important)

Comment 31 Lubomir Kundrak 2007-03-27 16:56:07 UTC
MOPB-32-2007 CVE-2007-1711

Comment 32 Lubomir Kundrak 2007-03-28 10:13:15 UTC
MOPB-33-2007 CVE-2007-1717
MOPB-34-2007 CVE-2007-1718

Comment 34 Joe Orton 2007-03-29 10:20:29 UTC
MOPB-35-2007 describes a bug in the "zip" extension, which is not distributed in
Red Hat Enterprise Linux.

MOPB-36-2007 describes a bug in the "open_basedir" feature, which is not
classified as security-sensitive per comment 1; see also bug 169857.

Comment 35 Joe Orton 2007-03-29 10:33:58 UTC
MOPB-33-2007 describes a bug in the mail() function which has no security impact.

MOPB-34-2007 describes a bug in the mail() function which allows a remote
attacker to inject arbitrary headers into generated mail, if the "subject"
parameter passed to the function uses untrusted (and unsanitized) script input;
this may allow the attacker to force the script to send bulk e-mail to
unintended recipients. (CVE-2007-1718, Impact: Low)

Comment 36 Joe Orton 2007-03-30 07:35:16 UTC
MOPB-37-2007 describes a bug in the Zend interpreter which can only be triggered
by the script author.  This bug is not classified as security-sensitive per
comment 1.

Comment 37 Joe Orton 2007-04-02 14:17:38 UTC
MOPB-38-2007 describes an issue in the printf() function which can only be
triggered by the script author.

MOPB-39-2007 describes an integer overflow the str_replace() function, which can
be triggered remotely if a script passes large untrusted strings to the third
and fourth arguments of this function.  Errata fixing this bug have already been
issued: http://rhn.redhat.com/errata/CVE-2007-0907.html.  The off-by-one bug
used in the initial fix committed upstream did not affect the patch used in Red
Hat Enterprise Linux.

Comment 38 Joe Orton 2007-04-02 15:38:58 UTC
MOPB-40-2007 describes a heap overflow in the imap_mail_compose() function. 
Errata fixing this bug have already been fixed; see
http://rhn.redhat.com/errata/CVE-2007-0906.html.

MOPB-41-2007 describes a bug in the sqlite2 library, a copy of which is bundled
in the "sqlite" extension included in the PHP source code.  Neither the "sqlite"
extension nor the sqlite2 library are distributed in Red Hat Enterprise Linux.


Comment 39 Joe Orton 2007-04-02 15:43:18 UTC
MOPB-42-2007 describes a bug in the handling of stream filters, which should
only be possible to be triggered by the script author.

MOPB-43-2007 describes a bug in the msg_receive() function provided by the
"sysvmsg" extension.  This bug can only be triggered by the script author.

MOPB-44-2007 describes a bug in the PHP 5.2 Zend Memory Manager, which does not
affect earlier versions of PHP.

Comment 41 Mark J. Cox 2007-04-03 12:48:48 UTC
So the summary at the end of MOPB, the following unfixed issues that we class as
security impact:

        CVE-2007-1285 MOPB-03-2007
        impact=low,public=20070301

        CVE-2007-1286 MOPB-04-2007
        impact=important,public=20070302

        CVE-2007-1583 MOPB-26-2007
        impact=low,public=20030720

        CVE-2007-1711 MOPB-32-2007
        impact=important,public=20070325

Comment 42 Lubomir Kundrak 2007-04-03 18:15:01 UTC
MOPB-36-2007 CVE-2007-1835
MOPB-42-2007 CVE-2007-1824
MOPB-40-2007 CVE-2007-1825

Comment 43 Joe Orton 2007-04-04 09:29:19 UTC
An unfixed issue in addition to the above summary:

   CVE-2007-1718 MOPB-34-2007
   impact=low,public=20070326

Comment 44 Lubomir Kundrak 2007-04-06 06:22:37 UTC
MOPB-37-2007 CVE-2007-1883
MOPB-38-2007 CVE-2007-1884
MOPB-39-2007 CVE-2007-1885
MOPB-39-2007 CVE-2007-1886 
MOPB-41-2007 CVE-2007-1887
MOPB-41-2007 CVE-2007-1888
MOPB-43-2007 CVE-2007-1883
MOPB-44-2007 CVE-2007-1883
MOPB-43-2007 CVE-2007-1890

Comment 47 Mark J. Cox 2007-04-16 08:10:47 UTC
Here is complete mapping for the month, double verified against CVE db.

MOPB-01-2007 CVE-2007-1383
MOPB-02-2007 CVE-2006-1549
MOPB-03-2007 CVE-2007-1285
MOPB-04-2007 CVE-2007-1286
MOPB-05-2007 CVE-2007-0988
BONUS-06-2007 CVE-2007-1370
BONUS-07-2007 CVE-2007-1369
MOPB-08-2007 CVE-2007-1287
MOPB-09-2007 CVE-2007-1381
MOPB-10-2007 CVE-2007-1380
MOPB-11-2007 CVE-2006-0908
BONUS-12-2007 CVE-2007-1359
MOPB-13-2007 CVE-2007-1378 CVE-2007-1379
MOPB-14-2007 CVE-2007-1375
MOPB-15-2007 CVE-2007-1376
MOPB-16-2007 CVE-2007-1399
MOPB-17-2007 CVE-2007-1452
MOPB-18-2007 CVE-2007-1454
MOPB-19-2007 CVE-2007-1453
MOPB-20-2007 CVE-2007-1460
MOPB-21-2007 CVE-2007-1461
MOPB-22-2007 CVE-2007-1521
MOPB-23-2007 CVE-2007-1522
MOPB-24-2007 CVE-2007-1484
MOPB-25-2007 CVE-2007-1584
MOPB-26-2007 CVE-2007-1583
MOPB-27-2007 CVE-2007-1582
MOPB-28-2007 CVE-2007-1581
MOPB-29-2007 CVE-2007-1649
MOPB-30-2007 CVE-2007-1700
MOPB-31-2007 CVE-2007-1701
MOPB-32-2007 CVE-2007-1711
MOPB-33-2007 CVE-2007-1717
MOPB-34-2007 CVE-2007-1718
MOPB-35-2007 CVE-2007-1777
MOPB-36-2007 CVE-2007-1835
MOPB-37-2007 CVE-2007-1883
MOPB-38-2007 CVE-2007-1884
MOPB-39-2007 CVE-2007-1885 CVE-2007-1886
MOPB-40-2007 CVE-2007-1825
MOPB-41-2007 CVE-2007-1887 CVE-2007-1888
MOPB-42-2007 CVE-2007-1824
MOPB-43-2007 CVE-2007-1889 CVE-2007-1890
MOPB-44-2007 CVE-2007-1889
MOPB-45-2007 CVE-2007-1900


Comment 50 Red Hat Bugzilla 2007-04-16 15:33:05 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2007-0155.html



Note You need to log in before you can comment on or make changes to this bug.