Bug 539529 (CVE-2009-3557, CVE-2009-3558, CVE-2009-3559)

Summary: php: safe_mode / open_basedir security fixes in 5.3.1
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED DUPLICATE QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jlieskov, jorton
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-11-20 13:53:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomas Hoger 2009-11-20 13:43:53 UTC 
New PHP upstream release 5.3.1 fixes couple of security issues:

  http://www.php.net/releases/5_3_1.php
  http://www.php.net/ChangeLog-5.php#5.3.1

Mail announcement with CVE ids:

  http://news.php.net/php.announce/79

  - Fixed a safe_mode bypass in tempnam() identified by Grzegorz Stachowiak.
    (CVE-2009-3557, Rasmus)
  - Fixed a open_basedir bypass in posix_mkfifo() identified by Grzegorz
    Stachowiak. (CVE-2009-3558, Rasmus)
  - Fixed bug #50063 (safe_mode_include_dir fails). (CVE-2009-3559,
    Johannes, christian at elmerot dot se)

Note: CVE-2009-3292 / CVE-2009-3294 were previously fixed in 5.2.11.
Comment 1 Tomas Hoger 2009-11-20 13:47:17 UTC 
tempnam() safe_mode bypass is covered by the following advisory:

  http://securityreason.com/securityalert/6601

uid checks for target directory were not performed by tempnam(), upstream fix:

  http://svn.php.net/viewvc?view=revision&revision=288945
Comment 2 Tomas Hoger 2009-11-20 13:48:44 UTC 
posix_mkfifo() open_basedir bypass is covered by the following advisory:

  http://securityreason.com/securityalert/6600

Upstream fix:

  http://svn.php.net/viewvc?view=revision&revision=288943
Comment 3 Tomas Hoger 2009-11-20 13:52:43 UTC 
safe_mode_include_dir fails problem is detailed in the upstream bug:

  http://bugs.php.net/bug.php?id=50063

According to the bug, this issue is specific to 5.3.x and does not affect previous versions.

Upstream fix:

  http://svn.php.net/viewvc/?view=revision&revision=290578

This problem is also not a security flaw, as safe mode uid check was applied where it shouldn't have been.  So the access was denied where it should have been granted.
Comment 4 Tomas Hoger 2009-11-20 13:53:59 UTC 
CVE-2009-3559 is not security, CVE-2009-3557/CVE-2009-3558 are safe_mode / open_basedir bypass issues, closing as dupe of bug #169857.

*** This bug has been marked as a duplicate of bug 169857 ***
Comment 5 Jan Lieskovsky 2009-11-23 17:52:56 UTC 
Mitre's CVE-2009-3559 entry:
----------------------------

** DISPUTED ** main/streams/plain_wrapper.c in PHP 5.3.x before 5.3.1
does not recognize the safe_mode_include_dir directive, which allows
context-dependent attackers to have an unknown impact by triggering
the failure of PHP scripts that perform include or require operations,
as demonstrated by a script that attempts to perform a require_once on
a file in a standard library directory. NOTE: a reliable third party
reports that this is not a vulnerability.

References:
-----------
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3559
http://www.openwall.com/lists/oss-security/2009/11/20/2
http://www.openwall.com/lists/oss-security/2009/11/20/3
http://www.openwall.com/lists/oss-security/2009/11/20/5
http://news.php.net/php.announce/79
http://bugs.php.net/bug.php?id=50063
http://www.php.net/ChangeLog-5.php
http://www.php.net/releases/5_3_1.php