Bug 786686 (CVE-2012-0830)

Summary: CVE-2012-0830 php: remote code exec flaw introduced in the CVE-2011-4885 hashdos fix
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: dkutalek, fedora, jorton, mjc, rcvalle, rpm, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=critical,public=20120202,reported=20120202,source=internet,cvss2=7.5/AV:N/AC:L/Au:N/C:P/I:P/A:P,rhel-4/php=affected,rhel-5/php=affected,rhel-5/php53=affected,rhel-6/php=affected,fedora-all/php=affected,cwe=CWE-228->CWE-119
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-07-10 13:37:13 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 786742, 786743, 786744, 786755, 786756, 786757, 786758, 786988, 831138    
Bug Blocks: 786688, 786690    

Description Huzaifa S. Sidhpurwala 2012-02-02 02:01:21 EST
A flaw was found in the way the max_input_vars directive was implemented in php, as a fix for CVE-2011-4885 (php: hash table collisions CPU usage DoS issue).

A remote attacker could send large number of crafted POST requests, which could crash php or execute arbitrary code with the permissions of the user running php.

Possible upstream patch: http://svn.php.net/viewvc?view=revision&revision=323007

Reference:
http://thexploit.com/sec/critical-php-remote-vulnerability-introduced-in-fix-for-php-hashtable-collision-dos/
Comment 11 Tomas Hoger 2012-02-02 14:19:29 EST
Following page links errata that has been released for Red Hat Enterprise Linux to address CVE-2011-4885 which introduce this issue:

  https://www.redhat.com/security/data/cve/CVE-2011-4885.html

Work on packages addressing CVE-2012-0830 is in progress.  In the meantime, this issue can be mitigated by downgrading php or php53 packages to versions preceding updates listed in the errata for CVE-2011-4885.
Comment 12 Vincent Danen 2012-02-02 15:30:26 EST
Created php tracking bugs for this issue

Affects: fedora-all [bug 786988]
Comment 13 errata-xmlrpc 2012-02-02 17:33:32 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:0092 https://rhn.redhat.com/errata/RHSA-2012-0092.html
Comment 14 errata-xmlrpc 2012-02-02 18:03:04 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2012:0093 https://rhn.redhat.com/errata/RHSA-2012-0093.html
Comment 15 Tomas Hoger 2012-02-03 06:08:35 EST
Fedora updates to PHP version 5.3.10 were built and submitted:
  https://admin.fedoraproject.org/updates/search/CVE-2012-0830
Comment 16 Fedora Update System 2012-02-08 17:56:16 EST
php-eaccelerator-0.9.6.1-9.fc16.2, maniadrive-1.2-32.fc16.2, php-5.3.10-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 18 Fedora Update System 2012-02-14 04:05:04 EST
php-eaccelerator-0.9.6.1-9.fc15.2, maniadrive-1.2-32.fc15.2, php-5.3.10-1.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.