Bug 782657 (CVE-2012-0057)
Summary: | CVE-2012-0057 php: XSLT file writing vulnerability | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Kurt Seifried <kseifried> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | fedora, jorton, kowalczykb, ltx985122, mjc, rpm |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | php 5.3.9 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-06-27 17:19:25 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 819855, 819856, 830727, 830728, 830729, 830730 | ||
Bug Blocks: | 782956, 835958, 835959, 835960 |
Description
Kurt Seifried
2012-01-18 03:30:01 UTC
Upstream bug report: https://bugs.php.net/bug.php?id=54446 Upstream commits: http://svn.php.net/viewvc/?view=revision&revision=313160 http://svn.php.net/viewvc/?view=revision&revision=316530 http://svn.php.net/viewvc/?view=revision&revision=317759 http://svn.php.net/viewvc/?view=revision&revision=317801 There's a difference in between 5.4 and 5.3 fixes. Both disable writing by default, however, there are different ways to control that default. 5.4 fix introduces XsltProcessor::setSecurityPrefs($options) and getSecurityPrefs(), while 5.3 fix adds new xsl.security_prefs ini option. OSS-Security list discussion: http://thread.gmane.org/gmane.comp.security.oss.general/6672 This was fixed upstream in 5.3.9: http://www.php.net/ChangeLog-5.php#5.3.9 This issue has been addressed in the following security advisories for Fedora 15 and Fedora 16: Fedora-15: https://admin.fedoraproject.org/updates/FEDORA-2012-0420/php-5.3.9-1.fc15 Fedora-16: https://admin.fedoraproject.org/updates/FEDORA-2012-0504/php-5.3.9-1.fc16 This issue affects the version of php as shipped with Red Hat Enterprise Linux 4, 5 and 6. This issue affects the version of php53 as shipped with Red Hat Enterprise Linux 5. Will there be any updates to php53 (RHEL 5) to address this problem? Thanks This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2012:1047 https://rhn.redhat.com/errata/RHSA-2012-1047.html This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2012:1046 https://rhn.redhat.com/errata/RHSA-2012-1046.html This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2012:1045 https://rhn.redhat.com/errata/RHSA-2012-1045.html |