Bug 741020 (CVE-2011-3379)
| Summary: | CVE-2011-3379 php: changes to is_a() in 5.3.7 may allow arbitrary code execution with certain code | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | fedora, jorton, rpm |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-06-05 09:41:26 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 741022 | ||
| Bug Blocks: | |||
Created php tracking bugs for this issue Affects: fedora-all [bug 741022] A better (and less restrictive) work-around for this flaw is to disable allow_url_include rather than allow_url_fopen. This has been assigned the name CVE-2011-3379 php-5.3.8-3.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report. php-5.3.8-3.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report. php-5.3.8-3.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. |
It was reported [1],[2] that due to changes in the is_a() function [3],[4] PHP 5.3.7 and 5.3.8 became vulnerable to remote arbitrary code execution when is_a() is used in certain ways. Due to the __autoload() implementation, if a user were able to upload a crafted file, it could be possible to pass the contents of the file as an argument to the __autoload() function which could in turn use that argument as a file to include(). If there was no adequate checking or enforcement of the file to load being, local, this could lead to including a remote script from a remote web site. An example of a vulnerable __autoload() function could be: function __autoload($class_name) { include $class_name . '.php'; } In the above example, were $class_name to include a remote URL, and if allow_url_fopen was enabled in php.ini, this could result in loading a remote PHP script on the server. This flaw does not affect PHP versions prior to 5.3.7 were this change was introduced. A fix is in PHP's subversion repository (r317183) [5]. [1] http://www.byte.nl/blog/2011/09/23/security-bug-in-is_a-function-in-php-5-3-7-5-3-8/ [2] https://bugs.php.net/bug.php?id=55475 [3] https://bugs.php.net/bug.php?id=53727 [4] http://svn.php.net/viewvc/?view=revision&revision=312904 [5] http://svn.php.net/viewvc/?view=revision&revision=317183 Statement: Not vulnerable. This issue did not affect the versions of php as shipped with Red Hat Enterprise Linux 4, 5, or 6.