Bug 783350 (CVE-2012-0807)

Summary: CVE-2012-0807 php-suhosin: stack based buffer overflow in transparent cookie encryption
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: extras-orphan, fedora
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: php-suhosin 0.9.33 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-10-14 13:00:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 783351, 783352, 783353    
Bug Blocks:    

Description Vincent Danen 2012-01-20 05:02:34 UTC 
It was reported [1] that a flaw in how the PHP Suhosin extension handled transparent cookie encryption could possibly lead to arbitrary code execution in certain situations.

Quoting from the report:

During an internal audit of the Suhosin PHP extension, which is
often confused with the Suhosin PHP Patch, although they are not
the same, a possible stack based buffer overflow inside the
transparent cookie encryption feature was discovered.

If successfully exploited this vulnerability can lead to arbitrary
remote code execution. However further investigation into the
vulnerability revealed that it can only be triggered if the admin
has not only activated transparent cookie encryption, but also
explicitly disabled several other security features of Suhosin.
In addition to that remote exploitation requires a PHP application
that puts unfiltered user input into a call to the header()
function that sends a Set-Cookie header.

Furthermore most modern unix systems compile the Suhosin extension
with the FORTIFY_SOURCE flag, which will detect the possible buffer
overflow and abort execution before something bad can happen.


This can only ne done with the feature is enabled (suhosin.cookie.encrypt).  This is corrected in upstream 0.9.33 [2].

[1] http://seclists.org/fulldisclosure/2012/Jan/295
[2] https://github.com/stefanesser/suhosin/commit/73b1968ee30f6d9d2dae497544b910e68e114bfa
Comment 1 Vincent Danen 2012-01-20 05:04:12 UTC 
Created php-suhosin tracking bugs for this issue

Affects: fedora-15 [bug 783351]
Affects: epel-5 [bug 783352]
Affects: epel-6 [bug 783353]
Comment 2 Kurt Seifried 2012-01-24 20:44:20 UTC 
Added CVE as per http://www.openwall.com/lists/oss-security/2012/01/24/11
Comment 3 Remi Collet 2016-10-14 13:00:39 UTC 
Closing as the package is no more in the repo.