Bug 141132 - CAN-2004-1019 information disclosure issues
CAN-2004-1019 information disclosure issues
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: php (Show other bugs)
All Linux
medium Severity high
: ---
: ---
Assigned To: Joe Orton
David Lawrence
: Security
Depends On:
  Show dependency treegraph
Reported: 2004-11-29 10:45 EST by Josh Bressers
Modified: 2007-11-30 17:07 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-12-21 13:54:54 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Josh Bressers 2004-11-29 10:45:37 EST
Stefan Esser has reported to vendor sec a number of information
disclosure issues in PHP.


This issue should also affect RHEL2.1

I'm marking this issue as security sensitive since the upstream
release announcing this fix.  We'll make this public when the rest of
the world knows about it.
Comment 1 Josh Bressers 2004-12-06 14:49:24 EST
An additional issue has been added to this CVE id.

= CAN-2004-1019
[07] etx/standard/var_unserializer.c
      etx/standard/var_unserializer.re - reference to already freed array

A reference to an already freed zvalue can lead to my special friend:
controlling a ZendHashTable incl. its destructor pointer. Due to the
Zend Memory Cache it is easy to create a string that when unserialize is
performed on it will result in cross platform jumping to a specifix EIP.
(NOTE: phpBB2 is more or less easily exploitable with this, PoC exists)


Credits: Stefan Esser
Comment 2 Mark J. Cox (Product Security) 2004-12-15 16:57:41 EST
Removing embargo
Comment 5 thewolf 2004-12-17 14:14:08 EST
here is the URL to the Security Advisory by Stefan Esser:

There are a few issues: CAN-2004-1018, CAN-2004-1019, CAN-2004-1064.

Some of them are critical, please check the advisory for the full info.

Will the new 'php' package fix all the issues?

Is there any ETA for it yet?

Comment 6 Mark J. Cox (Product Security) 2004-12-17 14:23:25 EST
The RHEL3 update is currently being worked on with the fixes for:

CAN-2004-1065 - exif_read_data() overflow on long sectionname.
CAN-2004-1018 - shmop_write() out of bounds memory write access.
CAN-2004-1019 - possible information disclosure, double free etc
CAN-2004-1018 - integer overflow/underflow in pack() and unpack()

but not the fixes for:

NA: CAN-2004-1020 - addslashes not escaping \0 correctly.
 (only applies to 4.3.9)

NA: CAN-2004-1064 - arbitrary file access through path truncation.
 (only matters for threaded servers, we don't build PHP to support

The fix for CAN-2004-1063 (one of the safe_mode things) is non-obvious
and looks risky, so is not included.

RHEL2.1 will have a different subset of fixes, to be determined.

The Security team rate the maximum severity of these issues as
Important impact.
Comment 7 Christopher McCrory 2004-12-17 16:22:50 EST
Can we get an unofficial people.redhat.com/PATH rpm link for a pre
release build for local QA?

Comment 8 Joe Orton 2004-12-17 19:08:09 EST
*Test* update packages are available (but unsupported) from:
Comment 9 Kenneth Porter 2004-12-18 11:46:57 EST
Possibly related bugs:

Bug 141135
Bug 142056
Bug 143101 (similar issues in 5.0 branch)
Comment 10 thewolf 2004-12-21 05:26:32 EST
The PHP vulnerabilities are already being exploited in the wild:

This is really a critical issue for web hosting servers.

Is there any ETA for new php package release?

Comment 11 Mark J. Cox (Product Security) 2004-12-21 05:44:29 EST
Updates for this issue are currently in QA and we hope to have them
available today.  

Two of the reported PHP issues could have a significant impact,
CAN-2004-1019, and CAN-2004-1065.

CAN-2004-1019 covers the flaws in the deserialisation code.  This can
be an issue if you've got (your own or third party) PHP applications
that use the unserialize function on untrusted user data.  A proof of
concept exploit as you mentioned exists that can dump memory out of
some third party PHP webapp.

CAN-2004-1065 covers flaws in the exif extension.  If you have a PHP
application that parses untrusted image files using the exif extension
then this could lead to a stack overflow.  It looks unlikely this
could lead to code execution on Fedora Core w/Exec-shield.

The remaining issues do not have a significant impact and would most
likely require a malicious PHP script in order to exploit.
Comment 12 Mark J. Cox (Product Security) 2004-12-21 13:54:54 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

Comment 13 Pekka Savola 2004-12-21 17:47:08 EST
Any estimate on the progress of the RHEL 2.1 update?

Note You need to log in before you can comment on or make changes to this bug.