Bug 539529 (CVE-2009-3557, CVE-2009-3558, CVE-2009-3559)
Summary: | php: safe_mode / open_basedir security fixes in 5.3.1 | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED DUPLICATE | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | jlieskov, jorton |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2009-11-20 13:53:59 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Tomas Hoger
2009-11-20 13:43:53 UTC
tempnam() safe_mode bypass is covered by the following advisory: http://securityreason.com/securityalert/6601 uid checks for target directory were not performed by tempnam(), upstream fix: http://svn.php.net/viewvc?view=revision&revision=288945 posix_mkfifo() open_basedir bypass is covered by the following advisory: http://securityreason.com/securityalert/6600 Upstream fix: http://svn.php.net/viewvc?view=revision&revision=288943 safe_mode_include_dir fails problem is detailed in the upstream bug: http://bugs.php.net/bug.php?id=50063 According to the bug, this issue is specific to 5.3.x and does not affect previous versions. Upstream fix: http://svn.php.net/viewvc/?view=revision&revision=290578 This problem is also not a security flaw, as safe mode uid check was applied where it shouldn't have been. So the access was denied where it should have been granted. CVE-2009-3559 is not security, CVE-2009-3557/CVE-2009-3558 are safe_mode / open_basedir bypass issues, closing as dupe of bug #169857. *** This bug has been marked as a duplicate of bug 169857 *** Mitre's CVE-2009-3559 entry: ---------------------------- ** DISPUTED ** main/streams/plain_wrapper.c in PHP 5.3.x before 5.3.1 does not recognize the safe_mode_include_dir directive, which allows context-dependent attackers to have an unknown impact by triggering the failure of PHP scripts that perform include or require operations, as demonstrated by a script that attempts to perform a require_once on a file in a standard library directory. NOTE: a reliable third party reports that this is not a vulnerability. References: ----------- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3559 http://www.openwall.com/lists/oss-security/2009/11/20/2 http://www.openwall.com/lists/oss-security/2009/11/20/3 http://www.openwall.com/lists/oss-security/2009/11/20/5 http://news.php.net/php.announce/79 http://bugs.php.net/bug.php?id=50063 http://www.php.net/ChangeLog-5.php http://www.php.net/releases/5_3_1.php |