A bug was discovered in the PEAR XML-RPC Server package included in PHP. If a PHP script is used which implements an XML-RPC Server using the PEAR XML-RPC package, then it is possible for a remote attacker to construct an XML-RPC request which can cause PHP to execute arbitrary PHP commands as the 'apache' user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-2498 to this issue. See http://rhn.redhat.com/errata/RHSA-2005-748.html and bug #165846 This effects fc1 and fc2.
Must also take a look at CVE-2005-3353, CVE-2005-3388, CVE-2005-3389 and > CVE-2005-3390
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated packages for FC1 and FC2. rh73 and rh9 are not vulnerable. fc1: 14fa8a104eaf6081f86f6044d98926c3b2464f16 php-4.3.11-1.fc1.3.legacy.i386.rpm 511c19bd7ae00b27bbb0b8e28661ec80f0c5c2da php-4.3.11-1.fc1.3.legacy.src.rpm a19f06d62ed322c6ca60a960240545b1c1541c2c php-devel-4.3.11-1.fc1.3.legacy.i386.rpm dae143f2b7c31f31fe6726dc0f159e44d8ebb9a7 php-domxml-4.3.11-1.fc1.3.legacy.i386.rpm 1d774b01f202f5970916589d8f7c785854f5f54f php-imap-4.3.11-1.fc1.3.legacy.i386.rpm a71c35249b724b83e7ea684a9e03e8226ddaf314 php-ldap-4.3.11-1.fc1.3.legacy.i386.rpm ef0b14061558d4bb80bd932a9429ea5f726c8deb php-mbstring-4.3.11-1.fc1.3.legacy.i386.rpm 624bcdcafa968f009349807deaa2b9cdbd7a8870 php-mysql-4.3.11-1.fc1.3.legacy.i386.rpm 0461e0f97932343e89b1545553968ec31e7895c5 php-odbc-4.3.11-1.fc1.3.legacy.i386.rpm 964431ceda611ef5db0ddcb37916e9b1ba14f2d0 php-pgsql-4.3.11-1.fc1.3.legacy.i386.rpm 6cc5fda5e58516da3de48e1e6ce84137ac623cd0 php-snmp-4.3.11-1.fc1.3.legacy.i386.rpm b73447b0ed96cabfd47d38204bbb58ae58618419 php-xmlrpc-4.3.11-1.fc1.3.legacy.i386.rpm fc2: 235ec2a6041154f238e7d842f3c5546f1f665317 php-4.3.11-1.fc2.4.legacy.i386.rpm 88bc48eebf292783440e46e04a4819c6c110897d php-4.3.11-1.fc2.4.legacy.src.rpm 8b0d4837b30af423d1316c3a2aa71efc8400f130 php-devel-4.3.11-1.fc2.4.legacy.i386.rpm 2d299d41c06ae6e8b6eb59681de73ab78ecd870a php-domxml-4.3.11-1.fc2.4.legacy.i386.rpm d41520f1bebf1ce8518bae28f446f6a6a7d383e6 php-imap-4.3.11-1.fc2.4.legacy.i386.rpm 79485d15f70dad62f8c83c0f5b790f35416228cd php-ldap-4.3.11-1.fc2.4.legacy.i386.rpm c99ddb3a6ef2b689b74b6e6eb6a45aa32a6d341b php-mbstring-4.3.11-1.fc2.4.legacy.i386.rpm 1494b4c2b97ea097386c783585019c7138ca33f7 php-mysql-4.3.11-1.fc2.4.legacy.i386.rpm 5842888e1733ae3122897bd0d61c0b820b539482 php-odbc-4.3.11-1.fc2.4.legacy.i386.rpm 8f6873b119f4d27be7875174dbdb588a1006ae9e php-pear-4.3.11-1.fc2.4.legacy.i386.rpm b94afed2427a4b44d73a4910cab26f210cfe600e php-pgsql-4.3.11-1.fc2.4.legacy.i386.rpm 90342f547a8d2535c1725cc94e50d65f4f2caa4f php-snmp-4.3.11-1.fc2.4.legacy.i386.rpm 7aa057781c562290493c3d77e1f863e329ac08d5 php-xmlrpc-4.3.11-1.fc2.4.legacy.i386.rpm Changelog: * Wed Nov 09 2005 Marc Deslauriers <marcdeslauriers> 4.3.11-1.fc2.4.legacy - - pear: update to XML_RPC 1.4.0 to fix CVE-2005-2498 - - add security fixes from upstream: * XSS issues in phpinfo() (CVE-2005-3388) * GLOBALS handling (CVE-2005-3390) * parse_str() enabling register_globals (CVE-2005-3389) * exif: infinite recursion on corrupt JPEG (CVE-2005-3353) Downloads: fc1 source: http://www.infostrategique.com/linuxrpms/legacy/1/php-4.3.11-1.fc1.3.legacy.src.rpm fc1 binaries: http://www.infostrategique.com/linuxrpms/legacy/1/ fc2 source: http://www.infostrategique.com/linuxrpms/legacy/2/php-4.3.11-1.fc2.4.legacy.src.rpm fc2 binaries: http://www.infostrategique.com/linuxrpms/legacy/2/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDcsVwLMAs/0C4zNoRAtkHAJwPYq9k9LlIqMCCXx6JExz+SkFisgCfe3kl uRYc6x8W5E84XmlibvvauH0= =vOiC -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA for FC1 and FC2 packages: 511c19bd7ae00b27bbb0b8e28661ec80f0c5c2da php-4.3.11-1.fc1.3.legacy.src.rpm 88bc48eebf292783440e46e04a4819c6c110897d php-4.3.11-1.fc2.4.legacy.src.rpm Patches match those from FC3 package New XML_RPC source is same as FC3 package All other sources same as previous release Removed CAN-2005-1921 patch, this is OK since XML_RPC has been updated SPEC file changes seem fine to me FC1 PUBLISH++ FC2 PUBLISH++ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFDcyaKKe7MLJjUbNMRAmZeAJ9+i9P0ymQizFU38+XVGE5iERSCBgCgp5Xi X8DGlpIA4s6Mdo5xfrsEeCY= =dkhE -----END PGP SIGNATURE-----
I'm not getting the same MD5SUM: $ wget http://www.infostrategique.com/linuxrpms/legacy/1/php-4.3.11-1.fc1.3.legacy.src.rpm --08:26:31-- http://www.infostrategique.com/linuxrpms/legacy/1/php-4.3.11-1.fc1.3.legacy.src.rpm => `php-4.3.11-1.fc1.3.legacy.src.rpm' Resolving www.infostrategique.com... done. Connecting to www.infostrategique.com[209.71.226.162]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 5,094,213 [application/x-rpm] 100%[====================================>] 5,094,213 760.09K/s ETA 00:00 08:26:38 (760.09 KB/s) - `php-4.3.11-1.fc1.3.legacy.src.rpm' saved [5094213/5094213] $ md5sum php-4.3.11-1.fc1.3.legacy.src.rpm 8ff6977c88fc6ed2afd1e16cb309c2f8 php-4.3.11-1.fc1.3.legacy.src.rpm
-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Everyone, I'm glad I could get this problem noticed and acted on so quickly. Sorry I didn't post the Bugzilla entry first. I also don't see anything wrong with the spec file... looks good. All the patches are there. They check with the patches from FC3. Everything will / does compile. Changes look good. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDc1xAkNLDmnu1kSkRA0qMAJ0WdXwvgNEFThk/1IX53C9GJp8rPACeN6bY qAitwhtyT+4scvBDPsiLgBc= =PdXZ -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated packages for rh7.3 and rh9 to QA. rh73: 1aeb90829b82a23632242b71efeca9072b8984a7 php-4.1.2-7.3.18.legacy.i386.rpm 92658feeb078906a5b284ac082bdc058107e2fb3 php-4.1.2-7.3.18.legacy.src.rpm e04dbd30b0683057d4ef8bd6992c39df5130e2aa php-devel-4.1.2-7.3.18.legacy.i386.rpm 0eab66e9b47f40718f4731c0fb80d3bc9100bf7f php-imap-4.1.2-7.3.18.legacy.i386.rpm c8751277aba02a4c190e11b1911a7523b2f836a8 php-ldap-4.1.2-7.3.18.legacy.i386.rpm 24fa3fd5acd49dbc89a9f9a453384e13a2da7f0f php-manual-4.1.2-7.3.18.legacy.i386.rpm 7f7a05ba4a2983ca970d366affc0a55b321810da php-mysql-4.1.2-7.3.18.legacy.i386.rpm f7b9565b71ae90e5e6a55d73e18438cb2a53ce0b php-odbc-4.1.2-7.3.18.legacy.i386.rpm d769f2c8d7f2a6fd4b47a559c54d613d27e254c5 php-pgsql-4.1.2-7.3.18.legacy.i386.rpm 5fd51da57df74b458169d190a41c4ef5c2f19b55 php-snmp-4.1.2-7.3.18.legacy.i386.rpm rh9: 45f04db7df2e06d85a717ed7dc6342c12f428808 php-4.2.2-17.15.legacy.i386.rpm 4f4f776ba44012c61c821e9640781a8392644088 php-4.2.2-17.15.legacy.src.rpm 4fe73d2016bce4e7999719173b3259403255618f php-devel-4.2.2-17.15.legacy.i386.rpm 4dc1e60f1345a5743c166bcde219367e716d3199 php-imap-4.2.2-17.15.legacy.i386.rpm 4c2e245d2cd33e3472ccb9265cadbf5a60e2a983 php-ldap-4.2.2-17.15.legacy.i386.rpm 9eb9381e635b617c6ccd5787b42a02204f182f8e php-manual-4.2.2-17.15.legacy.i386.rpm 1aac25bca1e4d92346e0511cd693a1aeecfb89e8 php-mysql-4.2.2-17.15.legacy.i386.rpm e8f83b44f98475012e653c3c6795aefd0078c09c php-odbc-4.2.2-17.15.legacy.i386.rpm fc6603f6a1426cb9201a6cf083c86fe8d88231b6 php-pgsql-4.2.2-17.15.legacy.i386.rpm 59f7b6840806cb26510d4edfdc88b1940252295d php-snmp-4.2.2-17.15.legacy.i386.rpm rh73 Changelog: * Thu Nov 10 2005 Marc Deslauriers <marcdeslauriers> 4.1.2-7.3.18.legacy - - add security fixes from upstream: * XSS issues in phpinfo() (CVE-2005-3388) * GLOBALS handling (CVE-2005-3390) * parse_str() enabling register_globals (CVE-2005-3389) rh9 Changelog: * Thu Nov 10 2005 Marc Deslauriers <marcdeslauriers> 4.2.2-17.15.legacy - - add security fixes from upstream: * XSS issues in phpinfo() (CVE-2005-3388) * GLOBALS handling (CVE-2005-3390) * parse_str() enabling register_globals (CVE-2005-3389) * exif: infinite recursion on corrupt JPEG (CVE-2005-3353) Downloads: rh73 source: http://www.infostrategique.com/linuxrpms/legacy/7.3/php-4.1.2-7.3.18.legacy.src.rpm rh73 binaries: http://www.infostrategique.com/linuxrpms/legacy/7.3/ rh9 source: http://www.infostrategique.com/linuxrpms/legacy/9/php-4.2.2-17.15.legacy.src.rpm rh9 binaries: http://www.infostrategique.com/linuxrpms/legacy/9/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDdA0lLMAs/0C4zNoRAj0oAKCcIr+1W1wPhqhF+wDy38SvxY1sbgCgs1ZN VwALBlq1G0l6udOJIKIKCdE= =3HvN -----END PGP SIGNATURE-----
I just downloaded the following for FC2, which also didn't match md5sums displayed above: 0735747f41d4fa3f75e80db3cdc7eb9d php-4.3.11-1.fc2.4.legacy.i386.rpm ae9100396394f9c55b19c1a3e8abf453 php-ldap-4.3.11-1.fc2.4.legacy.i386.rpm 8a97ff09f66262420fd34b079df5e45e php-mbstring-4.3.11-1.fc2.4.legacy.i386.rpm 1334bf10deac1bedc7f48dfaca05c1a6 php-mysql-4.3.11-1.fc2.4.legacy.i386.rpm 02b26389a76312e4d05ce601a57dac49 php-pear-4.3.11-1.fc2.4.legacy.i386.rpm debe5e43d8910a6892fa14d236b2267d php-pgsql-4.3.11-1.fc2.4.legacy.i386.rpm
These were the md5sums I got for the FC1 downloads I needed: 1235e99a7b3a5bb4fb0549e2b0c7ed77 php-4.3.11-1.fc1.3.legacy.i386.rpm 4f7320199635ddf6e7e08afc76a70536 php-devel-4.3.11-1.fc1.3.legacy.i386.rpm 12856142cf4adea392b8e76db4141abb php-imap-4.3.11-1.fc1.3.legacy.i386.rpm 573bef1916c801b949f98665af07d5e4 php-ldap-4.3.11-1.fc1.3.legacy.i386.rpm cec2f520a68ee8f292d6c2fb37194f2f php-mbstring-4.3.11-1.fc1.3.legacy.i386.rpm 438a2a417dd0aaa494b580da9e4528a3 php-mysql-4.3.11-1.fc1.3.legacy.i386.rpm b6e4f650d6483545c65c07d9556fcf23 php-pgsql-4.3.11-1.fc1.3.legacy.i386.rpm
Fedora Legacy does not use md5sums, we use sha1sums, that's why they don't match.
How about CAN-2005-2491 (see bug 166334) and CAN-2005-3054 (see bug 169857)?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA for RH7.3 package: 92658feeb078906a5b284ac082bdc058107e2fb3 php-4.1.2-7.3.18.legacy.src.rpm Patches match those from RHEL package All sources same as previous release SPEC file changes are only to add patches and bump release RH73 PUBLISH++ RH9 patches seem OK, but where do you get them so I have something to compare to? Once I can verify the RH9 patches I'll add a publish for that as well. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFDdJ9TKe7MLJjUbNMRAlmnAKCANiWwsKtWR39cIvy7ebc6HP2fHwCgzXZA Ndvoj47+s6YpPBs1++mklxc= =j0xw -----END PGP SIGNATURE-----
The RH9 patch was based on the RHEL3 and RHEL21 patches and adapted for php 4.2.2
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 OK, I've looked over the RH9 patches, I did notice one thing that I think should be changed in php-4.2.2-CVE-2005-3389.patch See the lines: - - old_rg = PG(register_globals); if(argCount == 1) { PG(register_globals) = 1; - - php_treat_data(PARSE_STRING, res, NULL TSRMLS_CC); + zval tmp; In the RHEL patches, they remove the line: PG(register_globals) = 1; So I think we need to do the same. Aside from that, things look good to me. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFDdcz8Ke7MLJjUbNMRAk/0AJwPtT0C91IazqrOqDQG8Oz0yUa50ACeJBO9 azl4TMqF42dCty/8vvveshQ= =eFqB -----END PGP SIGNATURE-----
Good catch Jeff, I'll fix the patch when I build for updates-testing today.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mark, sounds good. With that change to the patch I give the RH9 package my PUBLISH vote. (just so it's official) :) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFDdxPCKe7MLJjUbNMRAhX8AJ9MG6VKtt1Y77lyJ3/q8JbJVzJlhgCg1W7z 4FK4G/VNLmWjTKEv49jzPPw= =KBUd -----END PGP SIGNATURE-----
Packages were pushed to updates-testing.
why are these not in the FC1 package? * GLOBALS handling (CVE-2005-3390) * parse_str() enabling register_globals (CVE-2005-3389) * exif: infinite recursion on corrupt JPEG (CVE-2005-3353)
Regarding comment #17 those are all present in the FC1 RPM. See the source RPM here: http://download.fedoralegacy.org/fedora/1/updates-testing/SRPMS/php-4.3.11-1.fc1.3.legacy.src.rpm
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 7ad045d32b304f8dd7ddb19b4b635c729e0150df php-4.2.2-17.16.legacy.i386.rpm installs OK. apache stopped and restarted, gallery and squirrelmail (both php-heavy apps) work fine. +VERIFY RH9 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDeN8tePtvKV31zw4RAnfTAKCOc0YKUOBiS0n6xLRR6GUX0HwzvgCdHt3F YX+m4Ju5Qd4bEf3Hmd5PeFI= =Kybp -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA for RHL73: installed with -mysql, -ldap and -imap. phpinfo() seems to work fine, also Horde/IMP seems to work fine. +VERIFY RHL73 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFDeta/GHbTkzxSL7QRAs2TAKCpJytlxy0r+qvLVbp3ErFjZEhfpwCfceMW HO3WUDErV3k4NTzXog/Zvfg= =CdxU -----END PGP SIGNATURE----- timeout in two weeks.
Timeout over.
Packages were released.
(rh9) php-4.2.2-17.16.legacy: It seems that the patches are not applied (commented out). php.spec: #%patch45 -p1 -b .cve3389 #%patch46 -p1 -b .cve3390 #%patch47 -p1 -b .cve3388 #%patch48 -p1 -b .cve3353
So it seems; I didn't check the others. Re-opening.
Only rh9 is affected. I'm rebuilding packages now and will release an updated advisory.
Updated packages were released to updates.