Bug 445003 (CVE-2008-0599)

Summary: CVE-2008-0599 php: buffer overflow in a CGI path translation
Product: [Other] Security Response Reporter: Josh Bressers <bressers>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jorton
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 5.2.6-2.fc9 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-03-29 09:45:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 445925    
Bug Blocks:    

Description Josh Bressers 2008-05-02 17:59:50 UTC 
From the PHP 5.2.6 changelog:
* Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh.

The fix for this is here:
http://cvs.php.net/viewvc.cgi/php-src/sapi/cgi/cgi_main.c?r1=1.267.2.15.2.50.2.12&r2=1.267.2.15.2.50.2.13&diff_format=u
Comment 2 Tomas Hoger 2008-05-05 08:03:00 UTC 
This issue seems to have been introduced in the following commit:

http://cvs.php.net/viewvc.cgi/php-src/sapi/cgi/cgi_main.c?diff_format=u&view=diff&r1=1.323&r2=1.324

Affected code first occurred in released PHP version 5.2.3.

In previous versions, env_path_info was not checked to be non-NULL, possibly
causing crash of php interpreter launched to handle CGI request (unlikely, as
PATH_INFO environment variable is set by web server).
Comment 3 Joe Orton 2008-05-06 10:32:18 UTC 
Whether or not PATH_INFO is present in the environment is under the control of
the remote user.

But this code path can only be reached if DOCUMENT_ROOT is not set (the
preceding "if" condition on env_document_root).  That will never happen if
/usr/bin/php-cgi is being executed via httpd mod_cgi.

It does look like it's normal that DOCUMENT_ROOT is not passed through if
php-cgi is being executed via FastCGI, however.  In that case, it could cause a
NULL pointer dereference and the php-cgi process would be recycled by the
fastcgi parent; a very minor DoS.  Not sure if we actually ship any FastCGI
servers, though.

So I'd say, this is severity=Low.
Comment 5 Mark J. Cox 2008-05-20 07:49:55 UTC 
This issue does not affect the version of PHP as shipped with Red Hat Enterprise
Linux 2.1, 3, 4, or 5.
Comment 7 Fedora Update System 2008-06-20 19:08:19 UTC 
php-5.2.6-2.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2008-06-20 19:09:29 UTC 
php-5.2.6-2.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.