Bug 175040
| Summary: | CVE-2002-2214 PHP segfault imap_fetch_overview() (CVE-2002-2215, CVE-2003-1302, CVE-2003-1303). Also - Multiple PHP vulnerabilities (CVE-2005-2933 CVE-2005-3883 CVE-2006-0208 CVE-2006-0996 CVE-2006-1490 CVE-2006-1990) | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Retired] Fedora Legacy | Reporter: | John Dalbec <jpdalbec> | ||||||
| Component: | php | Assignee: | Fedora Legacy Bugs <bugs> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | |||||||
| Severity: | medium | Docs Contact: | |||||||
| Priority: | medium | ||||||||
| Version: | unspecified | CC: | bressers, deisenst, jorton, m.koshelev, pekkas, tseaver | ||||||
| Target Milestone: | --- | Keywords: | Security | ||||||
| Target Release: | --- | ||||||||
| Hardware: | i386 | ||||||||
| OS: | Linux | ||||||||
| URL: | http://bugs.php.net/bug.php?id=24150 | ||||||||
| Whiteboard: | rh73, rh90, 1, 2, 3, LEGACY | ||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2006-07-28 02:37:42 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | 174463, 174528, 178028, 187230, 187510, 190519, 190524, 190526, 191474 | ||||||||
| Bug Blocks: | |||||||||
| Attachments: |
|
||||||||
|
Description
John Dalbec
2005-12-05 22:12:22 UTC
Oops, that's http://cc.ysu.edu/~jpdalbec/adam.txt Created attachment 121874 [details]
Combined patch for listed PHP bugs.
New Security bug: CVE-2006-0208: "Multiple cross-site scripting (XSS) vulnerabilities in PHP 5.1.1 allow remote attackers to inject arbitrary web script or HTML via unknown attack vectors in 'certain error conditions.'" As a result, PHP has released PHP 5.1.2 <http://www.php.net/release_5_1_2.php>. Red Hat has opened a bug for RHEL4, Bug #178028. Josh Bressers has determined that his affects PHP 5.1 and PHP 4.3 releases. Josh also states that RHEL 3 and RHEL 2.1 are affected. Josh says in Bug #178028, "The problem exists in the way PHP displays error messages. This issue is only exploitable when 'display_errors' and 'html_errors' are both set to 'On' in the PHP configuration file. When a HTML error message was being generated, the output was not properly sanitized, which could allow an attacker to insert arbitrary HTML, thus allowing a XSS attack. "This issue is only exploitable if 'html_errors' is on, which the configuration file cleary states should not be used on production machines. "I have verified this flaw exists in the PHP 4.3 and 5.1 branches." RHEL 2.1 uses PHP 4.1.2. RHL 7.3 uses PHP 4.1.2. RHL 9 uses PHP 4.2.2. RHEL 3 uses PHP 4.3.2. RHEL 4 uses PHP 4.3.9. FC1 uses PHP 4.3.11. FC2 uses PHP 4.3.11. FC3 uses PHP 4.3.11. This issue therefore should affect RHL 7.3, RHL9, FC1, FC2, FC3. The phpinfo() PHP function did not properly sanitize long strings. An attacker could use this to perform cross-site scripting attacks against sites that have publicly-available PHP scripts that call phpinfo(). (CVE-2006-0996) The html_entity_decode() PHP function was found to not be binary safe. An attacker could use this flaw to disclose a certain part of the memory. In order for this issue to be exploitable the target site would need to have a PHP script which called the "html_entity_decode()" function with untrusted input from the user and displayed the result. (CVE-2006-1490) The error handling output was found to not properly escape HTML output in certain cases. An attacker could use this flaw to perform cross-site scripting attacks against sites where both display_errors and html_errors are enabled. (CVE-2006-0208) An input validation error was found in the "mb_send_mail()" function. An attacker could use this flaw to inject arbitrary headers in a mail sent via a script calling the "mb_send_mail()" function where the "To" parameter can be controlled by the attacker. (CVE-2005-3883) A buffer overflow flaw was discovered in uw-imap, the University of Washington's IMAP Server. php-imap is compiled against the static c-client libraries from imap and therefore needed to be recompiled against the fixed version. This issue only affected Red Hat Enterprise Linux 3. (CVE-2005-2933). https://rhn.redhat.com/errata/RHSA-2006-0276.html John, is the bug you reported a security issue? Is there a CVE number for it? I don't know of any CVE numbers. I was able to modify the e-mail message in the above link to cause code execution at 0xdeadbeef, so I think it's at least potentially a security issue. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated packages to QA. ab70ee5354cb74eada34ae7ac47de58d1c86b7e8 7.3/php-4.1.2-7.3.19.legacy.src.rpm f1d8a4ac3abd883e9d08f0ab2192b697df331788 9/php-4.2.2-17.20.legacy.src.rpm 71c935bd4983b07cb15fadc21d81323664e014e0 1/php-4.3.11-1.fc1.5.legacy.src.rpm 2d1b0533ea030ddd8b86ce2700720bc8ef25f547 2/php-4.3.11-1.fc2.6.legacy.src.rpm 2e40f983d095a4bb496abd8d5e03a5683ed3be93 3/php-4.3.11-2.8.2.legacy.src.rpm Downloads: http://www.infostrategique.com/linuxrpms/legacy/7.3/php-4.1.2-7.3.19.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/9/php-4.2.2-17.20.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/1/php-4.3.11-1.fc1.5.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/2/php-4.3.11-1.fc2.6.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/3/php-4.3.11-2.8.2.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEVUXeLMAs/0C4zNoRAgqWAKCPaF6M/kdqV6YS9WxZjMbWGEmvugCffy7y UKTaPk2RxWEPNyat5tKefsA= =EYga -----END PGP SIGNATURE----- RHEL21 update hasn't apparently been released yet, I hope there won't be patch mismatches.. There will be, as I backported the patches to rh9 and rh73 myself. I wonder when the update will come out for rhel21... FC1 through FC3 are OK, but I get a headache from looking at RHL73 and RHL9 patches, especially the xml2rpc_errors handling.. if someone wants to look at those, feel free.. otherwise I'll probably wait a few more days if RHEL21 updates would make it easier. A couple of comments, 1) RHEL21 also patched CVE-2006-1990 which probably affects us too. Not sure whether it affects other versions. 2) php-4.1.2-php_imap.c.patch seems to be a bit different than php-4.1.2-bug24150.patch and php-4.3.2-bug24150.patch that RHEL shipped. Are these fixing the same bug? This might be applicable to RHL9 as well. It might be best to use RHEL patches if feasible. 3) the patches for 2006-0996 seem OK compared to RHEL, there are a couple of minor diffs wrt TSRMLS_CC etc. those are probably OK. 4) the approach for 2006-0208 was different, and RHEL21 seemed a bit simpler (at least to verify :-). If the RPMs would need to be redone, I'd recommend that approach. Name CVE-2006-1990 (under review) Status Candidate Description Integer overflow in the wordwrap function in string.c in PHP 4.4.2 and 5.1.2 might allow context-dependent attackers to execute arbitrary code via certain long arguments that cause a small buffer to be allocated, which triggers a heap-based buffer overflow in a memcpy function call, a different vulnerability than CVE-2002-1396. References * MISC:http://www.infigo.hr/en/in_focus/advisories/INFIGO-2006-04-02 * REDHAT:RHSA-2006:0501 * URL:http://www.redhat.com/support/errata/RHSA-2006-0501.html ... It looks like php-4.1.2-bug24150.patch fixes http://bugs.php.net/bug.php?id=19280 http://bugs.php.net/bug.php?id=22048 http://bugs.php.net/bug.php?id=24150 but not http://bugs.php.net/bug.php?id=15595 Hey Josh, According to John Dalbec in Comment #6 of this bug, he was able to cajole php into executing code at 0xdeadbeef, for some bugs that are probably related to the php bugs that were fixed in announcement RHSA-2006-0501. The Bugs that John specifically pointed out have the effect of causing imap_fetch_overview() to segfault when a mailbox contains a From: or To: header with an overlong email address. (See Comment #0). John has just indicated that the patch, php-4.1.2-bug24150.patch, included in one of the RHEL updates, fixed only 3 out of 4 of the bugs he noticed (See comment #12). I haven't myself had a chance to dig into the code, but I thought you might wish to know this. Do you think there indeed is an (additional) code-execution vulnerability here? Also, did the patched php packages released with RHSA-2006-0501 fix all of the vulnerabilities that need fixing in php? Does a new CVE number need to be allocated or anything? Thanks. -David Hi David, Thanks for the heads up on this. These issues never seem to have gotten CVE ids. We'll have to sort all this out (which versions fixed which bugs, which bugs are really dupes, etc.) It does seem that upstream bug 15595 isn't fixed in RHEL2.1. I'm going to have a better look tomorrow when I'm more attentive. This comment is from my mail archive. Due to the bugzilla crash some data was lost: ------- Additional Comments From deisenst 2006-06-10 17:12 EST ------- Josh, Anything new on the RHEL 2.1 front? Folks, Looks like we need to issue new packages here, perhaps based on the RHEL packages with the patch http://bugs.php.net/bug.php?id=15595 added in. Do you want me to do it, Marc? Jeff? Are there any other outstanding issues? -Dave ------- Additional Comments From jorton 2006-06-12 09:51 EST ------- Sorry for the slow response David. Yes, I can reproduce a segfault with the test case for the upstream PR 15595 issue on the RHEL2.1 php. Thanks for bringing this to our attention. This will need a CVE name (the issue is from 2002!). ------- Additional Comments From jorton 2006-06-12 10:33 EST ------- This patch is incremental to php-4.1.2-bug24150.patch and should fix the 15595 issue (tested to do so, and testing in no other way). Joe, we lost this patch, can you re-add it? Created attachment 130838 [details]
the patch
Thanks, I'll build new packages. I have CVE ids for these issues now: http://bugs.php.net/bug.php?id=15595 CVE-2002-2214 http://bugs.php.net/bug.php?id=19280 CVE-2002-2215 http://bugs.php.net/bug.php?id=22048 CVE-2003-1302 http://bugs.php.net/bug.php?id=24150 CVE-2003-1303 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated packages to QA. 76199403c774945630d04838fa53e46891dd95d0 7.3/php-4.1.2-7.3.20.legacy.src.rpm d60f6afef3b9ff5f815e34d8a65162ce81141dc0 9/php-4.2.2-17.21.legacy.src.rpm 826b9f6353176f31561ae3410ca1357940478b15 1/php-4.3.11-1.fc1.6.legacy.src.rpm 5c81b01a9d51c864691cee6b36c1dab0fd69e831 2/php-4.3.11-1.fc2.7.legacy.src.rpm 4ce0c7fdfa9a7e9032bcdd2e1160da6a24d18ccb 3/php-4.3.11-2.8.3.legacy.src.rpm Downloads: http://www.infostrategique.com/linuxrpms/legacy/7.3/php-4.1.2-7.3.20.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/9/php-4.2.2-17.21.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/1/php-4.3.11-1.fc1.6.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/2/php-4.3.11-1.fc2.7.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/3/php-4.3.11-2.8.3.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEnbJoLMAs/0C4zNoRAvZBAJ9MwJI9TpJsXlEeLU9yMkqlpKS4DwCgn2K0 AMZMZI3p9OxkOUvBQxNIGX0= =QuHz -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA w/ rpm-build-compare.sh: - source integrity good - spec file changes minimal - 1990 patch verified from RHEL and upstream, 0208 looks good. The 15595 issue (mentioned in comments !6, #17, #18 etc.) isn't fixed AFAICT, but we could get around to that later as well.. +PUBLISH RHL73, RHL9, FC1, FC2, FC3 76199403c774945630d04838fa53e46891dd95d0 php-4.1.2-7.3.20.legacy.src.rpm d60f6afef3b9ff5f815e34d8a65162ce81141dc0 php-4.2.2-17.21.legacy.src.rpm 826b9f6353176f31561ae3410ca1357940478b15 php-4.3.11-1.fc1.6.legacy.src.rpm 5c81b01a9d51c864691cee6b36c1dab0fd69e831 php-4.3.11-1.fc2.7.legacy.src.rpm 4ce0c7fdfa9a7e9032bcdd2e1160da6a24d18ccb php-4.3.11-2.8.3.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFEpMLJGHbTkzxSL7QRAuddAJ0YZWJ7HsPCHJkygggvJRhTHFpMhQCgnNJy B+wHVzruAXn2P1wQE7aYmSA= =r2XE -----END PGP SIGNATURE----- Thanks a bunch, Pekka! :) Thanks for the QA Pekka. The 15595 issue is already fixed. It's been in the php-4.1.2-php_imap.c.patch since comment #7. Packages have been pushed to updates-testing -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Packages tested: $ md5sum php-*4.3.11*.rpm 1398b2fb9eeaf1b1d95e8be6bd3d9289 php-4.3.11-1.fc1.6.legacy.i386.rpm 5f7111046ee2499bd8a0dcb144de699c php-devel-4.3.11-1.fc1.6.legacy.i386.rpm 64ced4ddcd1e97776e16eaf1e02f18bc php-domxml-4.3.11-1.fc1.6.legacy.i386.rpm a83e96cadf0b3201c7cb77eb70976c10 php-imap-4.3.11-1.fc1.6.legacy.i386.rpm 61238eaac5d4fcc86596bb407c2d0503 php-ldap-4.3.11-1.fc1.6.legacy.i386.rpm d3517c12338f04f5c1761f8884ebb477 php-mbstring-4.3.11-1.fc1.6.legacy.i386.rpm 8b9d7d83626c851aed1902fe123dc3f3 php-mysql-4.3.11-1.fc1.6.legacy.i386.rpm 4219a4c0f7259905bb12b1d507d54829 php-odbc-4.3.11-1.fc1.6.legacy.i386.rpm 524ae0ee3476e5baf2e8bfbc7afabe92 php-pgsql-4.3.11-1.fc1.6.legacy.i386.rpm 097e8af1285d8a602105e12c48af75dc php-snmp-4.3.11-1.fc1.6.legacy.i386.rpm 1c43a97bc1682ba3a1aba28edc68c673 php-xmlrpc-4.3.11-1.fc1.6.legacy.i386.rpm SHA1 checksums and GPG signatures verified: $ rpm -K php-*4.3.11*.rpm php-4.3.11-1.fc1.6.legacy.i386.rpm: (sha1) dsa sha1 md5 gpg OK php-devel-4.3.11-1.fc1.6.legacy.i386.rpm: (sha1) dsa sha1 md5 gpg OK php-domxml-4.3.11-1.fc1.6.legacy.i386.rpm: (sha1) dsa sha1 md5 gpg OK php-imap-4.3.11-1.fc1.6.legacy.i386.rpm: (sha1) dsa sha1 md5 gpg OK php-ldap-4.3.11-1.fc1.6.legacy.i386.rpm: (sha1) dsa sha1 md5 gpg OK php-mbstring-4.3.11-1.fc1.6.legacy.i386.rpm: (sha1) dsa sha1 md5 gpg OK php-mysql-4.3.11-1.fc1.6.legacy.i386.rpm: (sha1) dsa sha1 md5 gpg OK php-odbc-4.3.11-1.fc1.6.legacy.i386.rpm: (sha1) dsa sha1 md5 gpg OK php-pgsql-4.3.11-1.fc1.6.legacy.i386.rpm: (sha1) dsa sha1 md5 gpg OK php-snmp-4.3.11-1.fc1.6.legacy.i386.rpm: (sha1) dsa sha1 md5 gpg OK php-xmlrpc-4.3.11-1.fc1.6.legacy.i386.rpm: (sha1) dsa sha1 md5 gpg OK Packages installed cleanly: $ rpm -Fvh php-*4.3.11*.rpm Tested PHP application (SquirrelMail) after installation; ran successfully. +VERIFY FC1 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFErIVI+gerLs4ltQ4RAuYsAKCgNKMJJWsDHEtRV0PRwODbX5WueACgw+Bm zUluqSrKif0cz8720+1JjUc= =N1Jd -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA for RHL73. Signature OK, upgrades OK. Basic PHP web pages and HORDE/IMP (using mysql and ldap plugins) continue to work OK. +VERIFY RHL73 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFErMkqGHbTkzxSL7QRAjVbAKCMT20fPgY5peyEaEh4cJvlLe+F/QCgyoD8 PP5jonFeadFpLBMoSlUVdOo= =bnGS -----END PGP SIGNATURE----- Two verifies, timeout one week. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 1cd4a11bf52c1b18dce2937a7f15789b059c1967 php-4.2.2-17.21.legacy.i386.rpm 714057b386abaa03573d14c8757ef97858ba2b17 php-mysql-4.2.2-17.21.legacy.i386.rpm installs fine. squirrelmail (using imap, although not apparently php-imap) works fine. +VERIFY RH9 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFEsl+tePtvKV31zw4RAnULAJ92z7ko5le+wyZ30Xtt2Pi6JKU8swCgkA6x Zxnv9PPILrtG7hwK/rd+HSI= =LQDx -----END PGP SIGNATURE----- Packages were released. |