The Hardened-PHP Project discovered an overflow in the PHP htmlentities() and htmlspecialchars() routines. If a PHP script used the vulnerable functions to parse UTF-8 data, a remote attacker sending a carefully crafted request could trigger the overflow and potentially execute arbitrary code as the 'apache' user. (CVE-2006-5465) I think this overflow is probably present in both FC3 and FC4. RHEL announcement: http://rhn.redhat.com/errata/RHSA-2006-0730.html
Also some older vulnerabilities I don't think we've gotten to yet: http://rhn.redhat.com/errata/RHSA-2006-0669.html A response-splitting issue was discovered in the PHP session handling. If a remote attacker can force a carefully crafted session identifier to be used, a cross-site-scripting or response-splitting attack could be possible. (CVE-2006-3016) A buffer overflow was discovered in the PHP sscanf() function. If a script used the sscanf() function with positional arguments in the format string, a remote attacker sending a carefully crafted request could execute arbitrary code as the 'apache' user. (CVE-2006-4020) An integer overflow was discovered in the PHP wordwrap() and str_repeat() functions. If a script running on a 64-bit server used either of these functions on untrusted user data, a remote attacker sending a carefully crafted request might be able to cause a heap overflow. (CVE-2006-4482) A buffer overflow was discovered in the PHP gd extension. If a script was set up to process GIF images from untrusted sources using the gd extension, a remote attacker could cause a heap overflow. (CVE-2006-4484) An integer overflow was discovered in the PHP memory allocation handling. On 64-bit platforms, the "memory_limit" setting was not enforced correctly, which could allow a denial of service attack by a remote user. (CVE-2006-4486)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've built updated packages to fix these issues. Patches are based off of RHEL patches. The FC3 package uses the RHEL patches directly except for one: php-4.3.11-CVE-2006-4020.patch The FC4 package required re-patching based on the RHEL patches, so it'd be nice if someone can give those some extra attention when doing QA. FC3: http://www.cs.ucsb.edu/~jeff/legacy/php-4.3.11-2.8.5.legacy.src.rpm 1477a19b3ca99129da63a00539c960f145b4c914 php-4.3.11-2.8.5.legacy.src.rpm FC4: http://www.cs.ucsb.edu/~jeff/legacy/php-5.0.4-10.6.legacy.src.rpm c6d273a1a0f7fdf3a635cacea6e8044aceab4794 php-5.0.4-10.6.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) iD8DBQFFVIWYKe7MLJjUbNMRAkevAKC6uXoxFnN2JlzCTtxvxE9uvxE1dQCfa3IB C+OqURhbV2mg+plGUW+Vvpc= =JAuv -----END PGP SIGNATURE-----
Hrm, these look important enough that -- would anyone complain if I just built these for updates-testing? I'll try and have a good look at the patches while doing so.
*** Bug 215565 has been marked as a duplicate of this bug. ***
(In reply to comment #3) > Hrm, these look important enough that -- would anyone complain if I just > built these for updates-testing? I'll try and have a good look at the > patches while doing so. Works for me, although the more eyes on the patches the better, so if anyone can look over the SRPMs above, please do so. The faster we get these into updates-testing the better. By the way, I already built the FC3 packages on turbosphere, so you really just need to build the FC4 ones there (I built those on my local build system). See http://turbosphere.fedoralegacy.org/build/job.psp?uid=180 for info on the FC3 build.