Bug 101843 - [RFE] RHN not distributing current and "secure" PHP 4.3.2
Summary: [RFE] RHN not distributing current and "secure" PHP 4.3.2
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: php
Version: 9
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Joe Orton
QA Contact: Red Hat Satellite QA List
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2003-08-07 15:34 UTC by Mark Blevis
Modified: 2007-04-18 16:56 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2003-08-12 12:26:56 UTC
Embargoed:


Attachments (Terms of Use)

Description Mark Blevis 2003-08-07 15:34:00 UTC
Description of problem:
RHN's current version of the PHP php-4.2.2-8.0.8.  This version has a number 
of security vulnerabilities and fails a number of security tests.  The current 
distribution of PHP is 4.3.2 (released May 29, 2003).  Please make the most 
current, most secure version of PHP products available through RHN.  It 
concerns me that I'm paying for a service that does not keep pace with stable 
releases.


Version-Release number of selected component (if applicable):
php-4.2.2-8.0.8


How reproducible:
Every time


Steps to Reproduce:
1. rpm -qa |grep php
2. Nessus and Nikto scans
3. Publicly available security advisories

    
Actual results:
-The mail() function does not properly sanitize user input. This allows users 
to forge email to make it look like it is coming from a different source other 
than the server.
-The new POST handling system in PHP 4.2.0 and 4.2.1 has a bug which allows an 
attacker to disable the remote server or to compromise it.
-There is a flaw in this version which may allow an attacker who has the 
ability to inject an arbitrary argument to the function socket_iovec_alloc() 
to crash the remote service and possibly to execute arbitrary code. For this 
attack to work, PHP has to be compiled with the option --enable-sockets (which 
is disabled by default), and an attacker needs to be able to pass arbitrary 
values to socket_iovec_alloc(). Other functions are vulnerable to such flaws : 
openlog(), socket_recv(), socket_recvfrom() and emalloc()


Expected results:


Additional info:
PHP released version 4.3.2 on May 29, 2003.  Prior to that, other versions 
were released since 4.2.2.

Comment 1 Josef Komenda 2003-08-07 17:38:29 UTC
See bug #101784

*** This bug has been marked as a duplicate of 101784 ***

Comment 2 Josef Komenda 2003-08-07 18:10:00 UTC
Whoops, this is for PHP not httpd. Reopening. 

Comment 3 Mark Blevis 2003-08-11 14:56:28 UTC
It has been brought to my attention that the problem relating to the malformed 
POST is a high risk problem (i.e. an attacker can disable or compromise the 
system).  Please treat this high risk security threat accordingly.

Comment 4 Mark Blevis 2003-08-11 15:07:59 UTC
I've just been directed to Security Focus which lists this vulnerability as 
low.  Nevertheless, the vulnerability has been known for over a year and 
clearly is overdue for being addressed.

Comment 5 Mark J. Cox 2003-08-12 12:26:56 UTC
The issues you have listed are:

CAN-2002-0986 mail function 
  
   - this issue is fixed by a backported security fix applied to Red Hat
     packages of PHP since 4.2.2-15 (for Red Hat Linux 7.1-7.3 this was
     covered by a security errata in 2002, for Red Hat Linux 8.0 and 9 the
     packages we shipped had this error).

CAN-2002-0717 PHP post function

   - this issue is reported to only affect PHP version 4.2.1 and 4.2.0,    
     therefore 4.2.2 is not vulnerable to this issue

CAN-2003-0166 socket error

   - this issue only applies if PHP is compiled with --enable-sockets which
     the Red Hat packages are not

Also see http://www.redhat.com/advice/speaks_backport.html on why we backport
security fixes rather than upgrading to the latest upstream releases and how
this confuses tools such as Nessus.


Comment 6 Jan Iven 2003-12-02 12:23:37 UTC
Unfortunatly, from the specfiles it looks like the Red Hat RPMs are
actually built *with* --enable-sockets, at least on 7.3
(php-4.1.2-7.3.6.src.rpm) and 9 (php-4.2.2-17.2.src.rpm). That means
that CAN-2003-0166 and CAN-2003-0172 indeed do apply. Please reopen.


Note You need to log in before you can comment on or make changes to this bug.