Bug 163559 - CAN-2005-1921,1751 PHP vulerabilities
CAN-2005-1921,1751 PHP vulerabilities
Status: CLOSED ERRATA
Product: Fedora Legacy
Classification: Retired
Component: php (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
LEGACY, 1, 2
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-07-18 17:12 EDT by Marc Deslauriers
Modified: 2007-04-18 13:29 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-07-28 22:16:32 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Marc Deslauriers 2005-07-18 17:12:00 EDT
+++ This bug was initially created as a clone of Bug #162044 +++

A bug has been found in PHP's PEAR XML_RPC server which could allow remote code
execution. This bug allows injection of arbitrary PHP commands into eval()
statements. CAN-2005-1921

CAN-2005-1751:
Race condition in shtool 2.0.1 and earlier allows local users to
create or modify arbitrary files via a symlink attack on the
.shtool.$$ temporary file.
http://www.zataz.net/adviso/shtool-05252005.txt

php contains shtool in its source.
Comment 1 Marc Deslauriers 2005-07-18 17:13:18 EDT
See:
https://rhn.redhat.com/errata/RHSA-2005-564.html
Comment 2 Marc Deslauriers 2005-07-26 23:31:26 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated packages for FC1 and FC2.

a8b69da146f5ddd2c3a3161e5366d027fc35c734  1/php-4.3.11-1.fc1.2.legacy.i386.rpm
16905d23967e6ec5d51b88d629125c648dfd4b2f  1/php-4.3.11-1.fc1.2.legacy.src.rpm
692ab524546dc7156e1b7cddf6f24398906dbf9a  1/php-devel-4.3.11-1.fc1.2.legacy.i386.rpm
a8fa98dbb6683f1c15e2a67ae75c14f0e0337dfd 
1/php-domxml-4.3.11-1.fc1.2.legacy.i386.rpm
396b6850d64e8ad18f8515d4dbdc4f664eb92e05  1/php-imap-4.3.11-1.fc1.2.legacy.i386.rpm
3b564c1bd678b8d5e8e0be4837ac574bf020efb6  1/php-ldap-4.3.11-1.fc1.2.legacy.i386.rpm
61d1246f92ebb085c72aefe94f4df030ec535fc9 
1/php-mbstring-4.3.11-1.fc1.2.legacy.i386.rpm
58eb6de8ecbb1450eb335cc7ec37422e76b33287  1/php-mysql-4.3.11-1.fc1.2.legacy.i386.rpm
56e3c46979b56e08210a94ea0ba9c6753901e36e  1/php-odbc-4.3.11-1.fc1.2.legacy.i386.rpm
aac8d5df2372a3a37268b0e589336e708532335a  1/php-pgsql-4.3.11-1.fc1.2.legacy.i386.rpm
12095677f0f83c50369f6df0bfc5903eb1bd5bd9  1/php-snmp-4.3.11-1.fc1.2.legacy.i386.rpm
29965640f98531fba3bec365b30385c71ef50e9b 
1/php-xmlrpc-4.3.11-1.fc1.2.legacy.i386.rpm
905c3cf1c144af176540521dcf623491c481c464  2/php-4.3.11-1.fc2.3.legacy.i386.rpm
2b38cc3613283b1c133d0cd96c50a07b5400d671  2/php-4.3.11-1.fc2.3.legacy.src.rpm
88045bca6fe08c72c2075ee45fb9de618932d861  2/php-devel-4.3.11-1.fc2.3.legacy.i386.rpm
c81a6d5e7cc61572a12d34c85949e10a0734bf60 
2/php-domxml-4.3.11-1.fc2.3.legacy.i386.rpm
ebb5a0011842f5b0018d60449a4073fcddbf2d4e  2/php-imap-4.3.11-1.fc2.3.legacy.i386.rpm
399adf967a2f896310ee40e50d53e0e65d989c98  2/php-ldap-4.3.11-1.fc2.3.legacy.i386.rpm
47dbbdf1c440b1c8fcc3f19bd3c7db133d16d50b 
2/php-mbstring-4.3.11-1.fc2.3.legacy.i386.rpm
8cbd8b82cb98b904a9bc1b9624a3f85fdae530d0  2/php-mysql-4.3.11-1.fc2.3.legacy.i386.rpm
756d49c0fa0183c60413f39fd5232a9151ff9c9b  2/php-odbc-4.3.11-1.fc2.3.legacy.i386.rpm
fb65cf4fd0c359e5e4c66c5d1227a04144db5ed5  2/php-pear-4.3.11-1.fc2.3.legacy.i386.rpm
4cc597813935a88eb48c5242725a6cdab98cf2bf  2/php-pgsql-4.3.11-1.fc2.3.legacy.i386.rpm
542bc722660d5c67fdecb643f3c3674b902fbe5b  2/php-snmp-4.3.11-1.fc2.3.legacy.i386.rpm
e1db61450601d377b993b2060906999f3211a8b4 
2/php-xmlrpc-4.3.11-1.fc2.3.legacy.i386.rpm

CAN-2005-1751 is not exploitable in PHP. Patch was included for
completeness only.

Earlier releases than FC1 don't seem to be vulnerable to CAN-2005-1921.


fc2 changelog:
* Tue Jul 26 2005 Marc Deslauriers <marcdeslauriers@videotron.ca>
4.3.11-1.fc2.3.legacy
- - add security fixes:
 * shtool temp file handling (CAN-2005-1751)
 * XML_RPC command injection (Stefan Esser, CAN-2005-1921)

fc1 changelog:
* Tue Jul 26 2005 Marc Deslauriers <marcdeslauriers@videotron.ca>
4.3.11-1.fc1.2.legacy
- - add security fixes:
 * shtool temp file handling (CAN-2005-1751)
 * XML_RPC command injection (Stefan Esser, CAN-2005-1921)

Downloads:

fc1 source:
http://www.infostrategique.com/linuxrpms/legacy/1/php-4.3.11-1.fc1.2.legacy.src.rpm
fc1 binaries: http://www.infostrategique.com/linuxrpms/legacy/1/
fc2 source:
http://www.infostrategique.com/linuxrpms/legacy/2/php-4.3.11-1.fc2.3.legacy.src.rpm
fc2 binaries: http://www.infostrategique.com/linuxrpms/legacy/2/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFC5wALLMAs/0C4zNoRAhYAAJ9fz/uLXD5ACMjwDGqkNjcRqw5i6QCdFDaz
PoLMB/sdd67r0lvX0V4kp/o=
=MCyu
-----END PGP SIGNATURE-----
Comment 3 Pekka Savola 2005-07-27 02:11:16 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
QA w/ rpm-build-compare.sh:
 - source integrity good
 - spec file changes minimal (the xmlrpc part from RHEL)
 - shtool patch from RHEL, xmlrpc patch from upstream
 
+PUBLISH FC1, FC2
 
16905d23967e6ec5d51b88d629125c648dfd4b2f  php-4.3.11-1.fc1.2.legacy.src.rpm
2b38cc3613283b1c133d0cd96c50a07b5400d671  php-4.3.11-1.fc2.3.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFC5yVRGHbTkzxSL7QRAp0rAKCGG/CRs/5CbWJg75KAy2SRlzfxswCgzDnQ
XGB/VfJxp1jV/edD3c4gYek=
=xtgQ
-----END PGP SIGNATURE-----
Comment 4 Marc Deslauriers 2005-07-27 17:03:46 EDT
Packages were pushed to updates-testing.
Comment 5 Jeff Sheltren 2005-07-28 00:35:47 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA for FC1 packages:
171656872d0f5824fcb30fcef4309d7fa012d9c5  php-4.3.11-1.fc1.2.legacy.i386.rpm
04f3e47079d7a5240806b4fb26a5d5f1786e838e  php-devel-4.3.11-1.fc1.2.legacy.i386.rpm
b53f067e610d6f312403a30c8ba702d377bad46a  php-domxml-4.3.11-1.fc1.2.legacy.i386.rpm
45a976dde09647657d1db340598ca25403f3875c  php-imap-4.3.11-1.fc1.2.legacy.i386.rpm
cabf9c604343977f0ff2db609e8ed9a85828dce1  php-ldap-4.3.11-1.fc1.2.legacy.i386.rpm
0c31e1138c74bd508c298b547372a7cdf621e8ec 
php-mbstring-4.3.11-1.fc1.2.legacy.i386.rpm
17f9d2c41ae2762eb9d6f4910cfd86f992b96871  php-mysql-4.3.11-1.fc1.2.legacy.i386.rpm
2452bc637bf072d2906e9267a86fae65de4b580e  php-odbc-4.3.11-1.fc1.2.legacy.i386.rpm
483e46c97dce391ec770b7095ce26eb929179b3a  php-pgsql-4.3.11-1.fc1.2.legacy.i386.rpm
f30e91737a2003f853ef783464a735718a3396bf  php-snmp-4.3.11-1.fc1.2.legacy.i386.rpm
e36b3e123516ad54651eb32cfd91af219769f19a  php-xmlrpc-4.3.11-1.fc1.2.legacy.i386.rpm

And for FC2 packages:
cf09a945e599887705e6b3cd0ff31bd6ae5c016c  php-4.3.11-1.fc2.3.legacy.i386.rpm
42d388c0b0245b68809e9d26f38ba45c42065d7c  php-devel-4.3.11-1.fc2.3.legacy.i386.rpm
9a8c40612bc6ae96b8aace4763b3302bfe88f4ac  php-domxml-4.3.11-1.fc2.3.legacy.i386.rpm
0bf81586c0794af8baba6dc407df1894ce5143a5  php-imap-4.3.11-1.fc2.3.legacy.i386.rpm
acf5d4c20689f1de12ca3c00758fd7b9fb10be45  php-ldap-4.3.11-1.fc2.3.legacy.i386.rpm
28698222a4268b9748e2ec22418f030ce8ad68d4 
php-mbstring-4.3.11-1.fc2.3.legacy.i386.rpm
fd9a5a444b8170277bbb94edf2c5cbb2d0b0a0e1  php-mysql-4.3.11-1.fc2.3.legacy.i386.rpm
fcdb53ff36392e98eb8695e3a3a6d7aef382ad18  php-odbc-4.3.11-1.fc2.3.legacy.i386.rpm
778c9b93507a5977ab00f479d6a55ef62e360f0b  php-pear-4.3.11-1.fc2.3.legacy.i386.rpm
29cf0cad08a2735ac26226a2012b8b91f63ca7ba  php-pgsql-4.3.11-1.fc2.3.legacy.i386.rpm
81fca59193d5d2ee72f6960ee8887f82c036f02d  php-snmp-4.3.11-1.fc2.3.legacy.i386.rpm
ef0ab724d7228333d416effbc5f1da250db68fe8  php-xmlrpc-4.3.11-1.fc2.3.legacy.i386.rpm

Packages update cleanly
Signatures are OK
Tested out a few PHP scripts (both command line and w/ web server) everything
worked OK

FC1 VERIFY++
FC2 VERIFY++
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFC6GCHKe7MLJjUbNMRAuCFAJ9EHlv/9mhXrmJ4OnLAVZUf2q9zLQCfazjD
NG2C1BB9qhJjQWsMWyV826Q=
=kQXs
-----END PGP SIGNATURE-----
Comment 6 Pekka Savola 2005-07-28 01:16:03 EDT
That was quick, thanks!
Comment 7 Marc Deslauriers 2005-07-28 22:16:32 EDT
Packages were officially released.

Note You need to log in before you can comment on or make changes to this bug.