Bug 445006 (CVE-2008-2051)

Summary: CVE-2008-2051 PHP multibyte shell escape flaw
Product: [Other] Security Response Reporter: Josh Bressers <bressers>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jorton, jrusnack, kreilly
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: source=php,reported=20080502,public=20080501,impact=moderate
Fixed In Version: 5.2.6-2.fc9 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-03-29 09:46:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 445917, 445919, 445920, 445921, 445922, 445923, 445924, 445925    
Bug Blocks:    

Description Josh Bressers 2008-05-02 18:04:07 UTC
From the PHP 5.2.6 changelog:
* Properly address incomplete multibyte chars inside escapeshellcmd() identified
by Stefan Esser.

The fix for this is here:
http://cvs.php.net/viewvc.cgi/php-src/ext/standard/exec.c?r1=1.113.2.3.2.1.2.3&r2=1.113.2.3.2.1.2.4&diff_format=u

Comment 2 Joe Orton 2008-05-06 13:14:34 UTC
This issue is exploitable if you have a script which:

1) passes untrusted script input to escapeshellcmd (as is the intended use for
that function)

2) runs a shell script using the output from (1) in a "strange" locale.

This does not seem to be exploitable in UTF-8 locales on Linux.  Based on this
analysis I would say rate this Moderate severity.

Comment 3 Tomas Hoger 2008-05-07 11:13:59 UTC
Further detail can be found in Stefan Esser's advisory:

http://www.sektioneins.de/advisories/SE-2008-03.txt

Comment 10 Fedora Update System 2008-06-14 04:19:43 UTC
php-5.2.6-2.fc9 has been pushed to the Fedora 9 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update php'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F9/FEDORA-2008-3606

Comment 11 Fedora Update System 2008-06-20 19:08:22 UTC
php-5.2.6-2.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2008-06-20 19:09:21 UTC
php-5.2.6-2.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.