Red Hat Bugzilla – Bug 141132
CAN-2004-1019 information disclosure issues
Last modified: 2007-11-30 17:07:05 EST
Stefan Esser has reported to vendor sec a number of information
disclosure issues in PHP.
This issue should also affect RHEL2.1
I'm marking this issue as security sensitive since the upstream
release announcing this fix. We'll make this public when the rest of
the world knows about it.
An additional issue has been added to this CVE id.
etx/standard/var_unserializer.re - reference to already freed array
A reference to an already freed zvalue can lead to my special friend:
controlling a ZendHashTable incl. its destructor pointer. Due to the
Zend Memory Cache it is easy to create a string that when unserialize is
performed on it will result in cross platform jumping to a specifix EIP.
(NOTE: phpBB2 is more or less easily exploitable with this, PoC exists)
Credits: Stefan Esser
here is the URL to the Security Advisory by Stefan Esser:
There are a few issues: CAN-2004-1018, CAN-2004-1019, CAN-2004-1064.
Some of them are critical, please check the advisory for the full info.
Will the new 'php' package fix all the issues?
Is there any ETA for it yet?
The RHEL3 update is currently being worked on with the fixes for:
CAN-2004-1065 - exif_read_data() overflow on long sectionname.
CAN-2004-1018 - shmop_write() out of bounds memory write access.
CAN-2004-1019 - possible information disclosure, double free etc
CAN-2004-1018 - integer overflow/underflow in pack() and unpack()
but not the fixes for:
NA: CAN-2004-1020 - addslashes not escaping \0 correctly.
(only applies to 4.3.9)
NA: CAN-2004-1064 - arbitrary file access through path truncation.
(only matters for threaded servers, we don't build PHP to support
The fix for CAN-2004-1063 (one of the safe_mode things) is non-obvious
and looks risky, so is not included.
RHEL2.1 will have a different subset of fixes, to be determined.
The Security team rate the maximum severity of these issues as
Can we get an unofficial people.redhat.com/PATH rpm link for a pre
release build for local QA?
*Test* update packages are available (but unsupported) from:
Possibly related bugs:
Bug 143101 (similar issues in 5.0 branch)
The PHP vulnerabilities are already being exploited in the wild:
This is really a critical issue for web hosting servers.
Is there any ETA for new php package release?
Updates for this issue are currently in QA and we hope to have them
Two of the reported PHP issues could have a significant impact,
CAN-2004-1019, and CAN-2004-1065.
CAN-2004-1019 covers the flaws in the deserialisation code. This can
be an issue if you've got (your own or third party) PHP applications
that use the unserialize function on untrusted user data. A proof of
concept exploit as you mentioned exists that can dump memory out of
some third party PHP webapp.
CAN-2004-1065 covers flaws in the exif extension. If you have a PHP
application that parses untrusted image files using the exif extension
then this could lead to a stack overflow. It looks unlikely this
could lead to code execution on Fedora Core w/Exec-shield.
The remaining issues do not have a significant impact and would most
likely require a malicious PHP script in order to exploit.
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.
Any estimate on the progress of the RHEL 2.1 update?