Bug 214391

Summary: PHP multiple vulnerabilities - CVE-2006-3016, CVE-2006-4020, CVE-2006-4482, CVE-2006-4484, CVE-2006-4486, CVE-2006-5465
Product: [Retired] Fedora Legacy Reporter: Jeff Sheltren <sheltren>
Component: phpAssignee: Fedora Legacy Bugs <bugs>
Status: CLOSED WONTFIX QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: deisenst, jam
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=important, LEGACY, 3, 4, needsbuild
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-07-16 10:50:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jeff Sheltren 2006-11-07 13:14:56 UTC 
The Hardened-PHP Project discovered an overflow in the PHP htmlentities()
and htmlspecialchars() routines. If a PHP script used the vulnerable
functions to parse UTF-8 data, a remote attacker sending a carefully
crafted request could trigger the overflow and potentially execute
arbitrary code as the 'apache' user. (CVE-2006-5465)

I think this overflow is probably present in both FC3 and FC4.

RHEL announcement: http://rhn.redhat.com/errata/RHSA-2006-0730.html
Comment 1 Jeff Sheltren 2006-11-07 13:36:06 UTC 
Also some older vulnerabilities I don't think we've gotten to yet:
http://rhn.redhat.com/errata/RHSA-2006-0669.html

A response-splitting issue was discovered in the PHP session handling. If
a remote attacker can force a carefully crafted session identifier to be
used, a cross-site-scripting or response-splitting attack could be
possible. (CVE-2006-3016)

A buffer overflow was discovered in the PHP sscanf() function. If a script
used the sscanf() function with positional arguments in the format string,
a remote attacker sending a carefully crafted request could execute
arbitrary code as the 'apache' user. (CVE-2006-4020)

An integer overflow was discovered in the PHP wordwrap() and str_repeat()
functions. If a script running on a 64-bit server used either of these
functions on untrusted user data, a remote attacker sending a carefully
crafted request might be able to cause a heap overflow. (CVE-2006-4482)

A buffer overflow was discovered in the PHP gd extension. If a script was
set up to process GIF images from untrusted sources using the gd extension,
a remote attacker could cause a heap overflow. (CVE-2006-4484)

An integer overflow was discovered in the PHP memory allocation handling.
On 64-bit platforms, the "memory_limit" setting was not enforced correctly,
which could allow a denial of service attack by a remote user. (CVE-2006-4486)
Comment 2 Jeff Sheltren 2006-11-10 13:59:59 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I've built updated packages to fix these issues.
Patches are based off of RHEL patches.
The FC3 package uses the RHEL patches directly except for one:
php-4.3.11-CVE-2006-4020.patch
The FC4 package required re-patching based on the RHEL patches,
so it'd be nice if someone can give those some extra attention
when doing QA.

FC3:
http://www.cs.ucsb.edu/~jeff/legacy/php-4.3.11-2.8.5.legacy.src.rpm
1477a19b3ca99129da63a00539c960f145b4c914  php-4.3.11-2.8.5.legacy.src.rpm

FC4:
http://www.cs.ucsb.edu/~jeff/legacy/php-5.0.4-10.6.legacy.src.rpm
c6d273a1a0f7fdf3a635cacea6e8044aceab4794  php-5.0.4-10.6.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)

iD8DBQFFVIWYKe7MLJjUbNMRAkevAKC6uXoxFnN2JlzCTtxvxE9uvxE1dQCfa3IB
C+OqURhbV2mg+plGUW+Vvpc=
=JAuv
-----END PGP SIGNATURE-----
Comment 3 David Eisenstein 2006-11-15 07:20:46 UTC 
Hrm, these look important enough that -- would anyone complain if I just 
built these for updates-testing?  I'll try and have a good look at the 
patches while doing so.
Comment 4 David Eisenstein 2006-11-15 07:26:08 UTC 
*** Bug 215565 has been marked as a duplicate of this bug. ***
Comment 5 Jeff Sheltren 2006-11-15 19:21:41 UTC 
(In reply to comment #3)
> Hrm, these look important enough that -- would anyone complain if I just 
> built these for updates-testing?  I'll try and have a good look at the 
> patches while doing so.

Works for me, although the more eyes on the patches the better, so if anyone can
look over the SRPMs above, please do so.  The faster we get these into
updates-testing the better.

By the way, I already built the FC3 packages on turbosphere, so you really just
need to build the FC4 ones there (I built those on my local build system).  See
http://turbosphere.fedoralegacy.org/build/job.psp?uid=180 for info on the FC3 build.