Bug 820708 (CVE-2012-2336)
| Summary: | CVE-2012-2336 php: incomplete CVE-2012-1823 fix - missing filtering of -T and -h | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | fedora, jorton, mjc, rcvalle, rpm |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-06-27 16:15:34 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 819855, 819856, 819857, 819858, 819859, 819860 | ||
| Bug Blocks: | 820710, 835958, 835959, 835960 | ||
|
Description
Jan Lieskovsky
2012-05-10 18:06:31 UTC
Relevant upstream fix is the second hunk of this commit: http://git.php.net/?p=php-src.git;a=commitdiff;h=000e84aa88ce16deabbf61e7086fc8db63ca88aa Because of the second php_getopt() call not being skipped, php-cgi could handle following injected command line options: - T <count> - This makes PHP interpreter execute the script <count> times. Attacker needs to keep the connection open and consume all generated output to keep this running. Therefore, the advantage of this as a DoS vector compared to more simple DoS attacks is limited, can mostly be useful in cases when Keep-Alive is disabled and the number of connection per IP limited over some time period. - -h / -? - These make PHP interpreter output usage info, which causes httpd to return an Internal Server Error to the client. This may allow attacker to guess the site is running PHP in CGI mode and has CVE-2012-1823 partially fixed. As -T option is only supported in PHP 5.2 and later, this problem has different impact on different Red Hat provided PHP packages: - php packages in Red Hat Enterprise Linux 5 are only affected by -h issue and are therefore minimally impacted by this flaw. - php53 packages in Red Hat Enterprise Linux 5, and php packages in Red Hat Enterprise Linux 6 and Red Hat Application Stack v2 also support -T option and affected by the DoS attack vector. As with the original issue CVE-2012-1823, this only affects PHP CGI configurations and does not affect the most common (and default in Red Hat Enterprise Linux and Fedora) configuration using PHP module for Apache httpd. This issue can also be mitigated using the same rewrite rules that were published as a mitigation for the CVE-2012-1823 issue - see bug #818607, comment #12 (or bug #818607, comment #27 if you're using an insecure wrapper script for php-cgi, but fixing such script is recommended, see bug #818607, comment #31). This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2012:1047 https://rhn.redhat.com/errata/RHSA-2012-1047.html This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2012:1046 https://rhn.redhat.com/errata/RHSA-2012-1046.html This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2012:1045 https://rhn.redhat.com/errata/RHSA-2012-1045.html |