Red Hat Bugzilla – Bug 214391
PHP multiple vulnerabilities - CVE-2006-3016, CVE-2006-4020, CVE-2006-4482, CVE-2006-4484, CVE-2006-4486, CVE-2006-5465
Last modified: 2007-07-16 06:50:28 EDT
The Hardened-PHP Project discovered an overflow in the PHP htmlentities()
and htmlspecialchars() routines. If a PHP script used the vulnerable
functions to parse UTF-8 data, a remote attacker sending a carefully
crafted request could trigger the overflow and potentially execute
arbitrary code as the 'apache' user. (CVE-2006-5465)
I think this overflow is probably present in both FC3 and FC4.
RHEL announcement: http://rhn.redhat.com/errata/RHSA-2006-0730.html
Also some older vulnerabilities I don't think we've gotten to yet:
A response-splitting issue was discovered in the PHP session handling. If
a remote attacker can force a carefully crafted session identifier to be
used, a cross-site-scripting or response-splitting attack could be
A buffer overflow was discovered in the PHP sscanf() function. If a script
used the sscanf() function with positional arguments in the format string,
a remote attacker sending a carefully crafted request could execute
arbitrary code as the 'apache' user. (CVE-2006-4020)
An integer overflow was discovered in the PHP wordwrap() and str_repeat()
functions. If a script running on a 64-bit server used either of these
functions on untrusted user data, a remote attacker sending a carefully
crafted request might be able to cause a heap overflow. (CVE-2006-4482)
A buffer overflow was discovered in the PHP gd extension. If a script was
set up to process GIF images from untrusted sources using the gd extension,
a remote attacker could cause a heap overflow. (CVE-2006-4484)
An integer overflow was discovered in the PHP memory allocation handling.
On 64-bit platforms, the "memory_limit" setting was not enforced correctly,
which could allow a denial of service attack by a remote user. (CVE-2006-4486)
-----BEGIN PGP SIGNED MESSAGE-----
I've built updated packages to fix these issues.
Patches are based off of RHEL patches.
The FC3 package uses the RHEL patches directly except for one:
The FC4 package required re-patching based on the RHEL patches,
so it'd be nice if someone can give those some extra attention
when doing QA.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
-----END PGP SIGNATURE-----
Hrm, these look important enough that -- would anyone complain if I just
built these for updates-testing? I'll try and have a good look at the
patches while doing so.
*** Bug 215565 has been marked as a duplicate of this bug. ***
(In reply to comment #3)
> Hrm, these look important enough that -- would anyone complain if I just
> built these for updates-testing? I'll try and have a good look at the
> patches while doing so.
Works for me, although the more eyes on the patches the better, so if anyone can
look over the SRPMs above, please do so. The faster we get these into
updates-testing the better.
By the way, I already built the FC3 packages on turbosphere, so you really just
need to build the FC4 ones there (I built those on my local build system). See
http://turbosphere.fedoralegacy.org/build/job.psp?uid=180 for info on the FC3 build.