Bug 786686 (CVE-2012-0830)

Summary: CVE-2012-0830 php: remote code exec flaw introduced in the CVE-2011-4885 hashdos fix
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: dkutalek, fedora, jorton, mjc, rcvalle, rpm, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-07-10 17:37:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 786742, 786743, 786744, 786755, 786756, 786757, 786758, 786988, 831138    
Bug Blocks: 786688, 786690    

Description Huzaifa S. Sidhpurwala 2012-02-02 07:01:21 UTC 
A flaw was found in the way the max_input_vars directive was implemented in php, as a fix for CVE-2011-4885 (php: hash table collisions CPU usage DoS issue).

A remote attacker could send large number of crafted POST requests, which could crash php or execute arbitrary code with the permissions of the user running php.

Possible upstream patch: http://svn.php.net/viewvc?view=revision&revision=323007

Reference:
http://thexploit.com/sec/critical-php-remote-vulnerability-introduced-in-fix-for-php-hashtable-collision-dos/
Comment 10 Tomas Hoger 2012-02-02 19:13:45 UTC 
http://www.h-online.com/security/news/item/Critical-PHP-vulnerability-being-fixed-1427316.html
Comment 11 Tomas Hoger 2012-02-02 19:19:29 UTC 
Following page links errata that has been released for Red Hat Enterprise Linux to address CVE-2011-4885 which introduce this issue:

  https://www.redhat.com/security/data/cve/CVE-2011-4885.html

Work on packages addressing CVE-2012-0830 is in progress.  In the meantime, this issue can be mitigated by downgrading php or php53 packages to versions preceding updates listed in the errata for CVE-2011-4885.
Comment 12 Vincent Danen 2012-02-02 20:30:26 UTC 
Created php tracking bugs for this issue

Affects: fedora-all [bug 786988]
Comment 13 errata-xmlrpc 2012-02-02 22:33:32 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:0092 https://rhn.redhat.com/errata/RHSA-2012-0092.html
Comment 14 errata-xmlrpc 2012-02-02 23:03:04 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2012:0093 https://rhn.redhat.com/errata/RHSA-2012-0093.html
Comment 15 Tomas Hoger 2012-02-03 11:08:35 UTC 
Fedora updates to PHP version 5.3.10 were built and submitted:
  https://admin.fedoraproject.org/updates/search/CVE-2012-0830
Comment 16 Fedora Update System 2012-02-08 22:56:16 UTC 
php-eaccelerator-0.9.6.1-9.fc16.2, maniadrive-1.2-32.fc16.2, php-5.3.10-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 18 Fedora Update System 2012-02-14 09:05:04 UTC 
php-eaccelerator-0.9.6.1-9.fc15.2, maniadrive-1.2-32.fc15.2, php-5.3.10-1.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.