Red Hat Bugzilla – Bug 101843
[RFE] RHN not distributing current and "secure" PHP 4.3.2
Last modified: 2007-04-18 12:56:42 EDT
Description of problem:
RHN's current version of the PHP php-4.2.2-8.0.8. This version has a number
of security vulnerabilities and fails a number of security tests. The current
distribution of PHP is 4.3.2 (released May 29, 2003). Please make the most
current, most secure version of PHP products available through RHN. It
concerns me that I'm paying for a service that does not keep pace with stable
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. rpm -qa |grep php
2. Nessus and Nikto scans
3. Publicly available security advisories
-The mail() function does not properly sanitize user input. This allows users
to forge email to make it look like it is coming from a different source other
than the server.
-The new POST handling system in PHP 4.2.0 and 4.2.1 has a bug which allows an
attacker to disable the remote server or to compromise it.
-There is a flaw in this version which may allow an attacker who has the
ability to inject an arbitrary argument to the function socket_iovec_alloc()
to crash the remote service and possibly to execute arbitrary code. For this
attack to work, PHP has to be compiled with the option --enable-sockets (which
is disabled by default), and an attacker needs to be able to pass arbitrary
values to socket_iovec_alloc(). Other functions are vulnerable to such flaws :
openlog(), socket_recv(), socket_recvfrom() and emalloc()
PHP released version 4.3.2 on May 29, 2003. Prior to that, other versions
were released since 4.2.2.
See bug #101784
*** This bug has been marked as a duplicate of 101784 ***
Whoops, this is for PHP not httpd. Reopening.
It has been brought to my attention that the problem relating to the malformed
POST is a high risk problem (i.e. an attacker can disable or compromise the
system). Please treat this high risk security threat accordingly.
I've just been directed to Security Focus which lists this vulnerability as
low. Nevertheless, the vulnerability has been known for over a year and
clearly is overdue for being addressed.
The issues you have listed are:
CAN-2002-0986 mail function
- this issue is fixed by a backported security fix applied to Red Hat
packages of PHP since 4.2.2-15 (for Red Hat Linux 7.1-7.3 this was
covered by a security errata in 2002, for Red Hat Linux 8.0 and 9 the
packages we shipped had this error).
CAN-2002-0717 PHP post function
- this issue is reported to only affect PHP version 4.2.1 and 4.2.0,
therefore 4.2.2 is not vulnerable to this issue
CAN-2003-0166 socket error
- this issue only applies if PHP is compiled with --enable-sockets which
the Red Hat packages are not
Also see http://www.redhat.com/advice/speaks_backport.html on why we backport
security fixes rather than upgrading to the latest upstream releases and how
this confuses tools such as Nessus.
Unfortunatly, from the specfiles it looks like the Red Hat RPMs are
actually built *with* --enable-sockets, at least on 7.3
(php-4.1.2-7.3.6.src.rpm) and 9 (php-4.2.2-17.2.src.rpm). That means
that CAN-2003-0166 and CAN-2003-0172 indeed do apply. Please reopen.