Bug 662707 (CVE-2006-7243)

Summary: CVE-2006-7243 php: paths with NULL character were considered valid
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: colin, dmitry, ernest.beinrohr, fedora, jkurik, jorton, ldimaggi, leonard-rh-bugzilla, leo, rcollet, redhat-bugzilla, robert.scheck, rpm, svyatoslav.lempert, webstack-team
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: php 5.3.4 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-09-04 18:59:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 958614, 988714, 1067646, 1067647    
Bug Blocks: 927185, 952520, 974906    

Description Vincent Danen 2010-12-13 16:45:35 UTC 
It was reported [1],[2] that PHP would accept filenames with a NULL character in the string, and silently truncate anything after the NULL character.  This could lead to unexpected results and could possibly disclose the existence of certain system files.  This was initially reported against the file_exists() function, but a number of other functions were changed to prevent PHP from considering paths with a NULL character as being valid [2].

This has been corrected in the upstream 5.3.4 release [3].

[1] http://bugs.php.net/39863
[2] http://www.madirish.net/?article=436
[3] http://svn.php.net/viewvc/?view=revision&amp;revision=305507
[4] http://www.php.net/archive/2010.php#id2010-12-10-1
Comment 3 Huzaifa S. Sidhpurwala 2010-12-28 08:54:23 UTC 

*** This bug has been marked as a duplicate of bug 169857 ***
Comment 4 Jan Lieskovsky 2012-05-09 09:27:50 UTC 
*** Bug 820101 has been marked as a duplicate of this bug. ***
Comment 7 Robert Scheck 2013-05-06 12:16:42 UTC 
ownCloud 5.0.5 setup complains that a fully RHEL 6 is vulnerable to this. Not
very nice - even this is just moderate. Any plans to fix this?
Comment 8 Robert Scheck 2013-05-13 11:39:48 UTC 
Cross-filed case 00836562 in the Red Hat customer portal.
Comment 11 errata-xmlrpc 2013-09-30 22:11:52 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:1307 https://rhn.redhat.com/errata/RHSA-2013-1307.html
Comment 12 Huzaifa S. Sidhpurwala 2013-10-01 04:43:04 UTC 
Statement:

(none)
Comment 14 errata-xmlrpc 2013-11-21 11:16:37 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:1615 https://rhn.redhat.com/errata/RHSA-2013-1615.html
Comment 19 errata-xmlrpc 2014-03-18 19:45:24 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2014:0311 https://rhn.redhat.com/errata/RHSA-2014-0311.html
Comment 20 Tomas Hoger 2014-03-18 21:07:24 UTC 
Thank to Remi Collet for pointing out that parts of the upstream patch are applicable to additional packages available in EPEL-5.  Those are either for modules that were not part of PHP upstream in version 5.1.6, or that are not built in Red Hat Enterprise Linux 5 packages.

php-pecl-zip
php-pecl-fileinfo
php-extras (tidy module)

CCing respective owners.
Comment 21 Remi Collet 2014-03-19 08:29:34 UTC 
zip: http://pkgs.fedoraproject.org/cgit/php-pecl-zip.git/commit/?h=el5&id=3c94f430d28fe042709348721d92d21b87640301

fileinfo: http://pkgs.fedoraproject.org/cgit/php-pecl-Fileinfo.git/commit/?h=el5&id=b97721c3170163d79527c265f02258e5bc8bbd99

tidy: http://pkgs.fedoraproject.org/cgit/php-extras.git/commit/?h=el5&id=b704d7895d947fcb040393df6cc21c9f2c8572d5

Build + update will come ASAP.