Bug 662707 (CVE-2006-7243) - CVE-2006-7243 php: paths with NULL character were considered valid
Summary: CVE-2006-7243 php: paths with NULL character were considered valid
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2006-7243
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 820101 (view as bug list)
Depends On: 958614 988714 1067646 1067647
Blocks: 927185 952520 974906
TreeView+ depends on / blocked
 
Reported: 2010-12-13 16:45 UTC by Vincent Danen
Modified: 2021-02-24 16:53 UTC (History)
15 users (show)

Fixed In Version: php 5.3.4
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-09-04 18:59:59 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:1307 0 normal SHIPPED_LIVE Moderate: php53 security, bug fix and enhancement update 2013-10-01 00:31:22 UTC
Red Hat Product Errata RHSA-2013:1615 0 normal SHIPPED_LIVE Moderate: php security, bug fix, and enhancement update 2013-11-20 21:38:52 UTC
Red Hat Product Errata RHSA-2014:0311 0 normal SHIPPED_LIVE Critical: php security update 2014-03-18 23:43:38 UTC

Description Vincent Danen 2010-12-13 16:45:35 UTC 
It was reported [1],[2] that PHP would accept filenames with a NULL character in the string, and silently truncate anything after the NULL character.  This could lead to unexpected results and could possibly disclose the existence of certain system files.  This was initially reported against the file_exists() function, but a number of other functions were changed to prevent PHP from considering paths with a NULL character as being valid [2].

This has been corrected in the upstream 5.3.4 release [3].

[1] http://bugs.php.net/39863
[2] http://www.madirish.net/?article=436
[3] http://svn.php.net/viewvc/?view=revision&revision=305507
[4] http://www.php.net/archive/2010.php#id2010-12-10-1
Comment 3 Huzaifa S. Sidhpurwala 2010-12-28 08:54:23 UTC 

*** This bug has been marked as a duplicate of bug 169857 ***
Comment 4 Jan Lieskovsky 2012-05-09 09:27:50 UTC 
*** Bug 820101 has been marked as a duplicate of this bug. ***
Comment 7 Robert Scheck 2013-05-06 12:16:42 UTC 
ownCloud 5.0.5 setup complains that a fully RHEL 6 is vulnerable to this. Not
very nice - even this is just moderate. Any plans to fix this?
Comment 8 Robert Scheck 2013-05-13 11:39:48 UTC 
Cross-filed case 00836562 in the Red Hat customer portal.
Comment 11 errata-xmlrpc 2013-09-30 22:11:52 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:1307 https://rhn.redhat.com/errata/RHSA-2013-1307.html
Comment 12 Huzaifa S. Sidhpurwala 2013-10-01 04:43:04 UTC 
Statement:

(none)
Comment 14 errata-xmlrpc 2013-11-21 11:16:37 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:1615 https://rhn.redhat.com/errata/RHSA-2013-1615.html
Comment 19 errata-xmlrpc 2014-03-18 19:45:24 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2014:0311 https://rhn.redhat.com/errata/RHSA-2014-0311.html
Comment 20 Tomas Hoger 2014-03-18 21:07:24 UTC 
Thank to Remi Collet for pointing out that parts of the upstream patch are applicable to additional packages available in EPEL-5.  Those are either for modules that were not part of PHP upstream in version 5.1.6, or that are not built in Red Hat Enterprise Linux 5 packages.

php-pecl-zip
php-pecl-fileinfo
php-extras (tidy module)

CCing respective owners.
Comment 21 Remi Collet 2014-03-19 08:29:34 UTC 
zip: http://pkgs.fedoraproject.org/cgit/php-pecl-zip.git/commit/?h=el5&id=3c94f430d28fe042709348721d92d21b87640301

fileinfo: http://pkgs.fedoraproject.org/cgit/php-pecl-Fileinfo.git/commit/?h=el5&id=b97721c3170163d79527c265f02258e5bc8bbd99

tidy: http://pkgs.fedoraproject.org/cgit/php-extras.git/commit/?h=el5&id=b704d7895d947fcb040393df6cc21c9f2c8572d5

Build + update will come ASAP.
Note You need to log in before you can comment on or make changes to this bug.