Bug 166943 - php multiple vulnerabilities - CVE-2005-2498,3353,3388,3389,3390
php multiple vulnerabilities - CVE-2005-2498,3353,3388,3389,3390
Status: CLOSED ERRATA
Product: Fedora Legacy
Classification: Retired
Component: php (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
LEGACY, 1, 2, rh73, rh9
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-08-28 09:21 EDT by Jeff Sheltren
Modified: 2007-04-18 13:30 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-12-02 20:30:03 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jeff Sheltren 2005-08-28 09:21:36 EDT
A bug was discovered in the PEAR XML-RPC Server package included in PHP. If
a PHP script is used which implements an XML-RPC Server using the PEAR
XML-RPC package, then it is possible for a remote attacker to construct an
XML-RPC request which can cause PHP to execute arbitrary PHP commands as
the 'apache' user. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2005-2498 to this issue.

See http://rhn.redhat.com/errata/RHSA-2005-748.html and bug #165846

This effects fc1 and fc2.
Comment 1 Marc Deslauriers 2005-11-09 17:16:41 EST
Must also take a look at CVE-2005-3353, CVE-2005-3388, CVE-2005-3389 and
> CVE-2005-3390
Comment 2 Marc Deslauriers 2005-11-09 22:55:37 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated packages for FC1 and FC2.
rh73 and rh9 are not vulnerable.

fc1:
14fa8a104eaf6081f86f6044d98926c3b2464f16  php-4.3.11-1.fc1.3.legacy.i386.rpm
511c19bd7ae00b27bbb0b8e28661ec80f0c5c2da  php-4.3.11-1.fc1.3.legacy.src.rpm
a19f06d62ed322c6ca60a960240545b1c1541c2c  php-devel-4.3.11-1.fc1.3.legacy.i386.rpm
dae143f2b7c31f31fe6726dc0f159e44d8ebb9a7  php-domxml-4.3.11-1.fc1.3.legacy.i386.rpm
1d774b01f202f5970916589d8f7c785854f5f54f  php-imap-4.3.11-1.fc1.3.legacy.i386.rpm
a71c35249b724b83e7ea684a9e03e8226ddaf314  php-ldap-4.3.11-1.fc1.3.legacy.i386.rpm
ef0b14061558d4bb80bd932a9429ea5f726c8deb 
php-mbstring-4.3.11-1.fc1.3.legacy.i386.rpm
624bcdcafa968f009349807deaa2b9cdbd7a8870  php-mysql-4.3.11-1.fc1.3.legacy.i386.rpm
0461e0f97932343e89b1545553968ec31e7895c5  php-odbc-4.3.11-1.fc1.3.legacy.i386.rpm
964431ceda611ef5db0ddcb37916e9b1ba14f2d0  php-pgsql-4.3.11-1.fc1.3.legacy.i386.rpm
6cc5fda5e58516da3de48e1e6ce84137ac623cd0  php-snmp-4.3.11-1.fc1.3.legacy.i386.rpm
b73447b0ed96cabfd47d38204bbb58ae58618419  php-xmlrpc-4.3.11-1.fc1.3.legacy.i386.rpm

fc2:
235ec2a6041154f238e7d842f3c5546f1f665317  php-4.3.11-1.fc2.4.legacy.i386.rpm
88bc48eebf292783440e46e04a4819c6c110897d  php-4.3.11-1.fc2.4.legacy.src.rpm
8b0d4837b30af423d1316c3a2aa71efc8400f130  php-devel-4.3.11-1.fc2.4.legacy.i386.rpm
2d299d41c06ae6e8b6eb59681de73ab78ecd870a  php-domxml-4.3.11-1.fc2.4.legacy.i386.rpm
d41520f1bebf1ce8518bae28f446f6a6a7d383e6  php-imap-4.3.11-1.fc2.4.legacy.i386.rpm
79485d15f70dad62f8c83c0f5b790f35416228cd  php-ldap-4.3.11-1.fc2.4.legacy.i386.rpm
c99ddb3a6ef2b689b74b6e6eb6a45aa32a6d341b 
php-mbstring-4.3.11-1.fc2.4.legacy.i386.rpm
1494b4c2b97ea097386c783585019c7138ca33f7  php-mysql-4.3.11-1.fc2.4.legacy.i386.rpm
5842888e1733ae3122897bd0d61c0b820b539482  php-odbc-4.3.11-1.fc2.4.legacy.i386.rpm
8f6873b119f4d27be7875174dbdb588a1006ae9e  php-pear-4.3.11-1.fc2.4.legacy.i386.rpm
b94afed2427a4b44d73a4910cab26f210cfe600e  php-pgsql-4.3.11-1.fc2.4.legacy.i386.rpm
90342f547a8d2535c1725cc94e50d65f4f2caa4f  php-snmp-4.3.11-1.fc2.4.legacy.i386.rpm
7aa057781c562290493c3d77e1f863e329ac08d5  php-xmlrpc-4.3.11-1.fc2.4.legacy.i386.rpm

Changelog:
* Wed Nov 09 2005 Marc Deslauriers <marcdeslauriers@videotron.ca>
4.3.11-1.fc2.4.legacy
- - pear: update to XML_RPC 1.4.0 to fix CVE-2005-2498
- - add security fixes from upstream:
 * XSS issues in phpinfo() (CVE-2005-3388)
 * GLOBALS handling (CVE-2005-3390)
 * parse_str() enabling register_globals (CVE-2005-3389)
 * exif: infinite recursion on corrupt JPEG (CVE-2005-3353)

Downloads:

fc1 source:
http://www.infostrategique.com/linuxrpms/legacy/1/php-4.3.11-1.fc1.3.legacy.src.rpm
fc1 binaries: http://www.infostrategique.com/linuxrpms/legacy/1/
fc2 source:
http://www.infostrategique.com/linuxrpms/legacy/2/php-4.3.11-1.fc2.4.legacy.src.rpm
fc2 binaries: http://www.infostrategique.com/linuxrpms/legacy/2/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDcsVwLMAs/0C4zNoRAtkHAJwPYq9k9LlIqMCCXx6JExz+SkFisgCfe3kl
uRYc6x8W5E84XmlibvvauH0=
=vOiC
-----END PGP SIGNATURE-----
Comment 3 Jeff Sheltren 2005-11-10 05:51:25 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA for FC1 and FC2 packages:
511c19bd7ae00b27bbb0b8e28661ec80f0c5c2da  php-4.3.11-1.fc1.3.legacy.src.rpm
88bc48eebf292783440e46e04a4819c6c110897d  php-4.3.11-1.fc2.4.legacy.src.rpm

Patches match those from FC3 package
New XML_RPC source is same as FC3 package
All other sources same as previous release
Removed CAN-2005-1921 patch, this is OK since XML_RPC has been updated
SPEC file changes seem fine to me

FC1 PUBLISH++
FC2 PUBLISH++
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFDcyaKKe7MLJjUbNMRAmZeAJ9+i9P0ymQizFU38+XVGE5iERSCBgCgp5Xi
X8DGlpIA4s6Mdo5xfrsEeCY=
=dkhE
-----END PGP SIGNATURE-----
Comment 4 Tres Seaver 2005-11-10 08:28:25 EST
I'm not getting the same MD5SUM:

$ wget
http://www.infostrategique.com/linuxrpms/legacy/1/php-4.3.11-1.fc1.3.legacy.src.rpm
--08:26:31-- 
http://www.infostrategique.com/linuxrpms/legacy/1/php-4.3.11-1.fc1.3.legacy.src.rpm
           => `php-4.3.11-1.fc1.3.legacy.src.rpm'
Resolving www.infostrategique.com... done.
Connecting to www.infostrategique.com[209.71.226.162]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5,094,213 [application/x-rpm]

100%[====================================>] 5,094,213    760.09K/s    ETA 00:00

08:26:38 (760.09 KB/s) - `php-4.3.11-1.fc1.3.legacy.src.rpm' saved [5094213/5094213]
$ md5sum php-4.3.11-1.fc1.3.legacy.src.rpm 8ff6977c88fc6ed2afd1e16cb309c2f8 
php-4.3.11-1.fc1.3.legacy.src.rpm

Comment 5 James Kosin 2005-11-10 09:42:18 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
 
Everyone,

I'm glad I could get this problem noticed and acted on so quickly.
Sorry I didn't post the Bugzilla entry first.

I also don't see anything wrong with the spec file...  looks good.
All the patches are there.  They check with the patches from FC3.

Everything will / does compile.

Changes look good.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
 
iD8DBQFDc1xAkNLDmnu1kSkRA0qMAJ0WdXwvgNEFThk/1IX53C9GJp8rPACeN6bY
qAitwhtyT+4scvBDPsiLgBc=
=PdXZ
-----END PGP SIGNATURE-----
Comment 6 Marc Deslauriers 2005-11-10 22:15:13 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated packages for rh7.3 and rh9 to QA.

rh73:
1aeb90829b82a23632242b71efeca9072b8984a7  php-4.1.2-7.3.18.legacy.i386.rpm
92658feeb078906a5b284ac082bdc058107e2fb3  php-4.1.2-7.3.18.legacy.src.rpm
e04dbd30b0683057d4ef8bd6992c39df5130e2aa  php-devel-4.1.2-7.3.18.legacy.i386.rpm
0eab66e9b47f40718f4731c0fb80d3bc9100bf7f  php-imap-4.1.2-7.3.18.legacy.i386.rpm
c8751277aba02a4c190e11b1911a7523b2f836a8  php-ldap-4.1.2-7.3.18.legacy.i386.rpm
24fa3fd5acd49dbc89a9f9a453384e13a2da7f0f  php-manual-4.1.2-7.3.18.legacy.i386.rpm
7f7a05ba4a2983ca970d366affc0a55b321810da  php-mysql-4.1.2-7.3.18.legacy.i386.rpm
f7b9565b71ae90e5e6a55d73e18438cb2a53ce0b  php-odbc-4.1.2-7.3.18.legacy.i386.rpm
d769f2c8d7f2a6fd4b47a559c54d613d27e254c5  php-pgsql-4.1.2-7.3.18.legacy.i386.rpm
5fd51da57df74b458169d190a41c4ef5c2f19b55  php-snmp-4.1.2-7.3.18.legacy.i386.rpm

rh9:
45f04db7df2e06d85a717ed7dc6342c12f428808  php-4.2.2-17.15.legacy.i386.rpm
4f4f776ba44012c61c821e9640781a8392644088  php-4.2.2-17.15.legacy.src.rpm
4fe73d2016bce4e7999719173b3259403255618f  php-devel-4.2.2-17.15.legacy.i386.rpm
4dc1e60f1345a5743c166bcde219367e716d3199  php-imap-4.2.2-17.15.legacy.i386.rpm
4c2e245d2cd33e3472ccb9265cadbf5a60e2a983  php-ldap-4.2.2-17.15.legacy.i386.rpm
9eb9381e635b617c6ccd5787b42a02204f182f8e  php-manual-4.2.2-17.15.legacy.i386.rpm
1aac25bca1e4d92346e0511cd693a1aeecfb89e8  php-mysql-4.2.2-17.15.legacy.i386.rpm
e8f83b44f98475012e653c3c6795aefd0078c09c  php-odbc-4.2.2-17.15.legacy.i386.rpm
fc6603f6a1426cb9201a6cf083c86fe8d88231b6  php-pgsql-4.2.2-17.15.legacy.i386.rpm
59f7b6840806cb26510d4edfdc88b1940252295d  php-snmp-4.2.2-17.15.legacy.i386.rpm

rh73 Changelog:
* Thu Nov 10 2005 Marc Deslauriers <marcdeslauriers@videotron.ca>
4.1.2-7.3.18.legacy
- - add security fixes from upstream:
 * XSS issues in phpinfo() (CVE-2005-3388)
 * GLOBALS handling (CVE-2005-3390)
 * parse_str() enabling register_globals (CVE-2005-3389)

rh9 Changelog:
* Thu Nov 10 2005 Marc Deslauriers <marcdeslauriers@videotron.ca> 4.2.2-17.15.legacy
- - add security fixes from upstream:
 * XSS issues in phpinfo() (CVE-2005-3388)
 * GLOBALS handling (CVE-2005-3390)
 * parse_str() enabling register_globals (CVE-2005-3389)
 * exif: infinite recursion on corrupt JPEG (CVE-2005-3353)

Downloads:

rh73 source:
http://www.infostrategique.com/linuxrpms/legacy/7.3/php-4.1.2-7.3.18.legacy.src.rpm
rh73 binaries: http://www.infostrategique.com/linuxrpms/legacy/7.3/
rh9 source:
http://www.infostrategique.com/linuxrpms/legacy/9/php-4.2.2-17.15.legacy.src.rpm
rh9 binaries: http://www.infostrategique.com/linuxrpms/legacy/9/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDdA0lLMAs/0C4zNoRAj0oAKCcIr+1W1wPhqhF+wDy38SvxY1sbgCgs1ZN
VwALBlq1G0l6udOJIKIKCdE=
=3HvN
-----END PGP SIGNATURE-----
Comment 7 Michael Mansour 2005-11-11 06:37:05 EST
I just downloaded the following for FC2, which also didn't match md5sums
displayed above:

0735747f41d4fa3f75e80db3cdc7eb9d  php-4.3.11-1.fc2.4.legacy.i386.rpm
ae9100396394f9c55b19c1a3e8abf453  php-ldap-4.3.11-1.fc2.4.legacy.i386.rpm
8a97ff09f66262420fd34b079df5e45e  php-mbstring-4.3.11-1.fc2.4.legacy.i386.rpm
1334bf10deac1bedc7f48dfaca05c1a6  php-mysql-4.3.11-1.fc2.4.legacy.i386.rpm
02b26389a76312e4d05ce601a57dac49  php-pear-4.3.11-1.fc2.4.legacy.i386.rpm
debe5e43d8910a6892fa14d236b2267d  php-pgsql-4.3.11-1.fc2.4.legacy.i386.rpm
Comment 8 Michael Mansour 2005-11-11 06:41:38 EST
These were the md5sums I got for the FC1 downloads I needed:

1235e99a7b3a5bb4fb0549e2b0c7ed77  php-4.3.11-1.fc1.3.legacy.i386.rpm
4f7320199635ddf6e7e08afc76a70536  php-devel-4.3.11-1.fc1.3.legacy.i386.rpm
12856142cf4adea392b8e76db4141abb  php-imap-4.3.11-1.fc1.3.legacy.i386.rpm
573bef1916c801b949f98665af07d5e4  php-ldap-4.3.11-1.fc1.3.legacy.i386.rpm
cec2f520a68ee8f292d6c2fb37194f2f  php-mbstring-4.3.11-1.fc1.3.legacy.i386.rpm
438a2a417dd0aaa494b580da9e4528a3  php-mysql-4.3.11-1.fc1.3.legacy.i386.rpm
b6e4f650d6483545c65c07d9556fcf23  php-pgsql-4.3.11-1.fc1.3.legacy.i386.rpm
Comment 9 Marc Deslauriers 2005-11-11 07:59:51 EST
Fedora Legacy does not use md5sums, we use sha1sums, that's why they don't match.
Comment 10 Leonard den Ottolander 2005-11-11 08:16:27 EST
How about CAN-2005-2491 (see bug 166334) and CAN-2005-3054 (see bug 169857)?
Comment 11 Jeff Sheltren 2005-11-11 08:38:23 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA for RH7.3 package:
92658feeb078906a5b284ac082bdc058107e2fb3  php-4.1.2-7.3.18.legacy.src.rpm

Patches match those from RHEL package
All sources same as previous release
SPEC file changes are only to add patches and bump release

RH73 PUBLISH++

RH9 patches seem OK, but where do you get them so I have something
to compare to?
Once I can verify the RH9 patches I'll add a publish for that as well.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFDdJ9TKe7MLJjUbNMRAlmnAKCANiWwsKtWR39cIvy7ebc6HP2fHwCgzXZA
Ndvoj47+s6YpPBs1++mklxc=
=j0xw
-----END PGP SIGNATURE-----
Comment 12 Marc Deslauriers 2005-11-11 11:37:41 EST
The RH9 patch was based on the RHEL3 and RHEL21 patches and adapted for php 4.2.2
Comment 13 Jeff Sheltren 2005-11-12 06:06:24 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

OK, I've looked over the RH9 patches, I did notice one thing that
I think should be changed in php-4.2.2-CVE-2005-3389.patch

See the lines:
- -       old_rg = PG(register_globals);
        if(argCount == 1) {
                PG(register_globals) = 1;
- -               php_treat_data(PARSE_STRING, res, NULL TSRMLS_CC);
+               zval tmp;

In the RHEL patches, they remove the line:
PG(register_globals) = 1;
So I think we need to do the same.
Aside from that, things look good to me.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFDdcz8Ke7MLJjUbNMRAk/0AJwPtT0C91IazqrOqDQG8Oz0yUa50ACeJBO9
azl4TMqF42dCty/8vvveshQ=
=eFqB
-----END PGP SIGNATURE-----
Comment 14 Marc Deslauriers 2005-11-12 08:45:23 EST
Good catch Jeff, I'll fix the patch when I build for updates-testing today.
Comment 15 Jeff Sheltren 2005-11-13 05:20:50 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mark, sounds good.  With that change to the patch I
give the RH9 package my PUBLISH vote.
(just so it's official) :)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFDdxPCKe7MLJjUbNMRAhX8AJ9MG6VKtt1Y77lyJ3/q8JbJVzJlhgCg1W7z
4FK4G/VNLmWjTKEv49jzPPw=
=KBUd
-----END PGP SIGNATURE-----
Comment 16 Marc Deslauriers 2005-11-13 23:14:49 EST
Packages were pushed to updates-testing.
Comment 17 Christof Damian 2005-11-14 02:20:10 EST
why are these not in the FC1 package?

 * GLOBALS handling (CVE-2005-3390)
 * parse_str() enabling register_globals (CVE-2005-3389)
 * exif: infinite recursion on corrupt JPEG (CVE-2005-3353)
Comment 18 Jeff Sheltren 2005-11-14 05:20:49 EST
Regarding comment #17 those are all present in the FC1 RPM.  See the source RPM
here:
http://download.fedoralegacy.org/fedora/1/updates-testing/SRPMS/php-4.3.11-1.fc1.3.legacy.src.rpm
Comment 19 Tom Yates 2005-11-14 13:59:48 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

7ad045d32b304f8dd7ddb19b4b635c729e0150df php-4.2.2-17.16.legacy.i386.rpm

installs OK.  apache stopped and restarted, gallery and squirrelmail (both
php-heavy apps) work fine.

+VERIFY RH9

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDeN8tePtvKV31zw4RAnfTAKCOc0YKUOBiS0n6xLRR6GUX0HwzvgCdHt3F
YX+m4Ju5Qd4bEf3Hmd5PeFI=
=Kybp
-----END PGP SIGNATURE-----
Comment 20 Pekka Savola 2005-11-16 01:48:17 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
QA for RHL73: installed with -mysql, -ldap and -imap. phpinfo() seems to
work fine, also Horde/IMP seems to work fine.
 
+VERIFY RHL73
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFDeta/GHbTkzxSL7QRAs2TAKCpJytlxy0r+qvLVbp3ErFjZEhfpwCfceMW
HO3WUDErV3k4NTzXog/Zvfg=
=CdxU
-----END PGP SIGNATURE-----


timeout in two weeks.
Comment 21 Pekka Savola 2005-11-28 13:59:42 EST
Timeout over.
Comment 22 Marc Deslauriers 2005-11-28 19:02:10 EST
Packages were released.
Comment 23 Taichi Yanagiya 2005-11-30 02:27:49 EST
(rh9) php-4.2.2-17.16.legacy:
It seems that the patches are not applied (commented out).

php.spec:

  #%patch45 -p1 -b .cve3389
  #%patch46 -p1 -b .cve3390
  #%patch47 -p1 -b .cve3388
  #%patch48 -p1 -b .cve3353
Comment 24 Pekka Savola 2005-11-30 03:35:24 EST
So it seems; I didn't check the others.  Re-opening.
Comment 25 Marc Deslauriers 2005-11-30 18:29:25 EST
Only rh9 is affected. I'm rebuilding packages now and will release an updated
advisory.
Comment 26 Marc Deslauriers 2005-12-02 20:30:03 EST
Updated packages were released to updates.

Note You need to log in before you can comment on or make changes to this bug.