Bug 230556 - (mopb) CVE-2007-1285 "Month of PHP Bugs" security issues (CVE-2007-1286 CVE-2007-1583 CVE-2007-1711 CVE-2007-1718)
CVE-2007-1285 "Month of PHP Bugs" security issues (CVE-2007-1286 CVE-2007-158...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: php (Show other bugs)
4.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Joe Orton
David Lawrence
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-03-01 10:13 EST by Joe Orton
Modified: 2007-11-30 17:07 EST (History)
4 users (show)

See Also:
Fixed In Version: RHSA-2007-0155
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-04-16 11:33:05 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Joe Orton 2007-03-01 10:13:20 EST
Description of problem:
This bug will be used to provide tracking information for the issues reported
during the "Month of PHP Bugs" initiative, http://www.php-security.org/
Comment 1 Joe Orton 2007-03-01 11:20:47 EST
Introduction: The PHP interpreter does not offer a reliable
"sandboxed" security layer (as found in, say, a JVM) in which
untrusted scripts can be run; any script run by the PHP interpreter
must be trusted with the privileges of the interpreter itself.  In
analysis of these issues, bugs which rely on an "untrusted local
attacker" will therefore not be classified as being
security-sensitive, since no trust boundary is crossed.
Comment 2 Joe Orton 2007-03-01 11:21:13 EST
MOPB-01-2007 describes an issue in the PHP interpreter regarding the
reference counting of variables, which can only be triggered by the
author of the script itself.  Per the introduction, this bug would not
be treated as security-sensitive.
Comment 3 Joe Orton 2007-03-01 11:21:30 EST
A script which allows unbounded function recursion will eventually
cause the interpreter to overflow the process stack and trigger a
segmentation fault; this "feature" of the PHP interpreter is under the
control of the script author so would not be treated as
security-sensitive per the introduction.  Since this "feature" has
been (repeatedly) reported publically as a "security issue" in the
past, it has been assigned a CVE name by MITRE, CVE-2006-1549.

MOPB-02-2007 and MOPB-03-2007 both concern the handling of (untrusted)
input data which contains deeply-nested arrays. MOPB-02-2007 describes
how a script processing such input data in a recursive fashion,
without concern for recursion bounds, may crash the interpreter, as
described in the previous paragraph. MOPB-03-2007 describes how, on
automatic deallocation of a deeply-nested-array variable, the PHP
interpreter may itself overflow the process stack and crash.

The attack vector here in both cases is the single issue, that PHP
allows input arrays of arbitrary nesting; this would be treated as
security-sensitive.  The impact of this issue is Low; in both paths
the consequence of the bug is to segfault a single Apache httpd child
process, which will be immediately replaced.
Comment 5 Joe Orton 2007-03-02 10:57:56 EST
MOPB-04-2007 describes an issue in the PHP unserialize() function in
PHP 4.4.x; if this function is used on an untrusted input string, the
object reference count can be forced to overflow, which allows the
attacker to execute arbitrary code as the PHP user.  An input string
required to exploit this issue must exceed ~512K in length, so default
Apache line length limits will prevent this from being exploited via input
data carried in the HTTP request headers or URI.

(CVE: none assigned, Impact: Important)
Comment 6 Joe Orton 2007-03-02 10:59:34 EST
MOPB-05-2007: If unserializing untrusted data on 64-bit platforms the
zend_hash_init() function can be forced to enter an infinite loop,
consuming CPU resources, for a limited duration of time, until the
script timeout alarm aborts the script.

Errata fixing this bug have already been issued; see bug 228858.

(CVE: CVE-2007-0988; Impact: Moderate)
Comment 8 Joe Orton 2007-03-03 15:58:47 EST
"BONUS-06-2007" and "BONUS-07-2007" concern issues in the Zend Platform product,
which is not distributed in Red Hat Enterpise Linux.

MOPB-08-2007 describes a cross-site-scripting issue in the phpinfo() function in
certain versions of PHP.  Generally, the phpinfo() function should not be used
in publically-accessible PHP scripts.

(CVE: none assigned; Impact: Low)
Comment 9 Joe Orton 2007-03-05 07:49:41 EST
MOPB-09-2007 describes an issue in the WDDX extension which was introduced in
the PHP CVS development branch, and is not present in any relased version of PHP.

MOPB-10-2007 describes an issue in the session extension which allows a heap
information leak.  Errata fixing this bug have already been issued; see bug 228858.

MOPB-11-2007 describes an issue in the WDDX extension which allowed a heap
information leak.  Errata fixing this bug have already been issued; see bug 228858.
Comment 10 Joe Orton 2007-03-06 11:30:09 EST
BONUS-12-2007 describes an issue in mod_security, which is not distributed in
Red Hat Enterprise Linux.

MOPB-13-2007 describes an issue in the "ovrimos" extension, which is not
included in the PHP package distributed in Red Hat Enterpise Linux.
Comment 12 Joe Orton 2007-03-07 08:54:07 EST
Update: MOPB-08-2007 was a regression introduced with the fix for CVE-2006-0996
added in PHP 4.4.3, and has been assigned CVE-2007-1287.  This regression was not
present in the patch used to fix CVE-2006-0996 in Red Hat Enterprise Linux.
Comment 14 Joe Orton 2007-03-08 10:49:47 EST
MOPB-14-2007 describes an integer overflow in the substr_compare() function. 
This function is not present in the versions of PHP distributed in Red Hat
Enterprise Linux v2.1, v3 or v4.

MOPB-15-2007 describes input validation bugs in the shmop extension.  These bugs
could only be triggered by the author of the PHP script, so would not be treated
as security-sensitive per comment 1.
Comment 15 Joe Orton 2007-03-12 05:56:17 EDT
MOPB-16-2007 describes a bug in the "zip" extension.  MOPB-17-2007,
MOPB-18-2007, and MOPB-19-2007 all describe bugs in the "filter" extension". 
The "filter" and "zip" extensions are not distributed in Red Hat Enterprise Linux.
Comment 16 Lubomir Kundrak 2007-03-12 14:29:10 EDT
MOPB-01-2007 CVE-2007-1383
MOPB-09-2007 CVE-2007-1381
MOPB-10-2007 CVE-2007-1380
MOPB-14-2007 CVE-2007-1375
MOPB-15-2007 CVE-2007-1376
Comment 17 Lubomir Kundrak 2007-03-12 14:29:50 EDT
MOPB-16-2007 CVE-2007-1399
Comment 18 Joe Orton 2007-03-14 05:58:10 EDT
MOPB-20-2007 and MOPB-21-2007 describe "safe_mode"/"open_basedir" bugs in the
"zip" and "bz2" extensions; this type of bug is not classified as
security-sensitive per comment 1; see also bug 169857.  (The "zip" extension is
not distributed in Red Hat Enterprise Linux v2, v3, or v4)
Comment 20 Lubomir Kundrak 2007-03-15 07:08:48 EDT
MOPB-17-2007 CVE-2007-1452
MOPB-18-2007 CVE-2007-1454
MOPB-19-2007 CVE-2007-1453
MOPB-20-2007 CVE-2007-1460
MOPB-21-2007 CVE-2007-1461
Comment 21 Lubomir Kundrak 2007-03-19 17:33:28 EDT
MOPB-24-2007 CVE-2007-1484
Comment 23 Joe Orton 2007-03-20 12:31:36 EDT
MOPB-22-2007 and MOPB-23-2007 describe bugs in the session extension; there are
no known methods to trigger these bugs remotely.  MOPB-24-2007 describes a bug
in the array_user_key_compare() which can only be triggered by a script author.
 These bugs are not classified as security-sensitive per comment 1.

MOPB-25-2007 describes a bug in the header() function which is unlikely to be
possible to trigger remotely, and is unlikely to have any effect on most
platforms.  Errata have already been issued fixing this bug: see
http://rhn.redhat.com/errata/CVE-2007-0907.html

MOPB-26-2007 describes a bug in the mbstring extension which may a remote
attacker to enable the "register_globals" setting for the lifetime of an httpd
child process, if the mb_parse_string() is used to process untrusted script
input of a length which can force the default memory_limit to be exhausted. 
(CVE: none assigned; Impact: Low)

MOPB-27-2007 describes a bug in the gd extension which can only be triggered by
the script author.  This bug is not classified as security-sensitive per comment 1.
Comment 24 Joe Orton 2007-03-21 05:26:06 EDT
MOPB-28-2007 describes a bug in the use of user-defined stream handles which can
only be triggered by the script author.  This bug is not classified as
security-sensitive per comment 1.
Comment 25 Lubomir Kundrak 2007-03-21 09:01:57 EDT
MOPB-22-2007 CVE-2007-1521
MOPB-23-2007 CVE-2007-1522
Comment 26 Lubomir Kundrak 2007-03-22 16:23:38 EDT
CVE-2007-1584 php MOPB-25-2007
CVE-2007-1583 php MOPB-26-2007
CVE-2007-1582 php MOPB-27-2007
CVE-2007-1581 php MOPB-28-2007
Comment 27 Joe Orton 2007-03-23 05:23:47 EDT
MOPB-29-2007 describes an issue in the unserialize() function introduced in the
PHP 5.2.1 release, which does not affect the versions of PHP shipped in Red Hat
Enterprise Linux.
Comment 29 Lubomir Kundrak 2007-03-27 11:52:29 EDT
MOPB-29-2007 CVE-2007-1649
MOPB-30-2007 CVE-2007-1700
MOPB-31-2007 CVE-2007-1701
Comment 30 Joe Orton 2007-03-27 12:13:32 EDT
MOPB-30-2007 describes a bug in the session extension which can only be
triggered by the script author.

MOPB-31-2007 describes a bug in the session extension which allows super-globals
to be over-ridden by an attacker, if session data is taken from an untrusted
source.  Errata have already been issued fixing this bug: see
http://rhn.redhat.com/errata/CVE-2007-0910.html

MOPB-32-2007 describes a regression in the fix used for MOPB-31-2007 which may
allow an remote attacker to execute arbitrary code as the "apache" user, if
session data is taken from an untrusted source.  (CVE: none assigned; Impact:
Important)
Comment 31 Lubomir Kundrak 2007-03-27 12:56:07 EDT
MOPB-32-2007 CVE-2007-1711
Comment 32 Lubomir Kundrak 2007-03-28 06:13:15 EDT
MOPB-33-2007 CVE-2007-1717
MOPB-34-2007 CVE-2007-1718
Comment 34 Joe Orton 2007-03-29 06:20:29 EDT
MOPB-35-2007 describes a bug in the "zip" extension, which is not distributed in
Red Hat Enterprise Linux.

MOPB-36-2007 describes a bug in the "open_basedir" feature, which is not
classified as security-sensitive per comment 1; see also bug 169857.
Comment 35 Joe Orton 2007-03-29 06:33:58 EDT
MOPB-33-2007 describes a bug in the mail() function which has no security impact.

MOPB-34-2007 describes a bug in the mail() function which allows a remote
attacker to inject arbitrary headers into generated mail, if the "subject"
parameter passed to the function uses untrusted (and unsanitized) script input;
this may allow the attacker to force the script to send bulk e-mail to
unintended recipients. (CVE-2007-1718, Impact: Low)
Comment 36 Joe Orton 2007-03-30 03:35:16 EDT
MOPB-37-2007 describes a bug in the Zend interpreter which can only be triggered
by the script author.  This bug is not classified as security-sensitive per
comment 1.
Comment 37 Joe Orton 2007-04-02 10:17:38 EDT
MOPB-38-2007 describes an issue in the printf() function which can only be
triggered by the script author.

MOPB-39-2007 describes an integer overflow the str_replace() function, which can
be triggered remotely if a script passes large untrusted strings to the third
and fourth arguments of this function.  Errata fixing this bug have already been
issued: http://rhn.redhat.com/errata/CVE-2007-0907.html.  The off-by-one bug
used in the initial fix committed upstream did not affect the patch used in Red
Hat Enterprise Linux.
Comment 38 Joe Orton 2007-04-02 11:38:58 EDT
MOPB-40-2007 describes a heap overflow in the imap_mail_compose() function. 
Errata fixing this bug have already been fixed; see
http://rhn.redhat.com/errata/CVE-2007-0906.html.

MOPB-41-2007 describes a bug in the sqlite2 library, a copy of which is bundled
in the "sqlite" extension included in the PHP source code.  Neither the "sqlite"
extension nor the sqlite2 library are distributed in Red Hat Enterprise Linux.
Comment 39 Joe Orton 2007-04-02 11:43:18 EDT
MOPB-42-2007 describes a bug in the handling of stream filters, which should
only be possible to be triggered by the script author.

MOPB-43-2007 describes a bug in the msg_receive() function provided by the
"sysvmsg" extension.  This bug can only be triggered by the script author.

MOPB-44-2007 describes a bug in the PHP 5.2 Zend Memory Manager, which does not
affect earlier versions of PHP.
Comment 41 Mark J. Cox (Product Security) 2007-04-03 08:48:48 EDT
So the summary at the end of MOPB, the following unfixed issues that we class as
security impact:

        CVE-2007-1285 MOPB-03-2007
        impact=low,public=20070301

        CVE-2007-1286 MOPB-04-2007
        impact=important,public=20070302

        CVE-2007-1583 MOPB-26-2007
        impact=low,public=20030720

        CVE-2007-1711 MOPB-32-2007
        impact=important,public=20070325
Comment 42 Lubomir Kundrak 2007-04-03 14:15:01 EDT
MOPB-36-2007 CVE-2007-1835
MOPB-42-2007 CVE-2007-1824
MOPB-40-2007 CVE-2007-1825
Comment 43 Joe Orton 2007-04-04 05:29:19 EDT
An unfixed issue in addition to the above summary:

   CVE-2007-1718 MOPB-34-2007
   impact=low,public=20070326
Comment 44 Lubomir Kundrak 2007-04-06 02:22:37 EDT
MOPB-37-2007 CVE-2007-1883
MOPB-38-2007 CVE-2007-1884
MOPB-39-2007 CVE-2007-1885
MOPB-39-2007 CVE-2007-1886 
MOPB-41-2007 CVE-2007-1887
MOPB-41-2007 CVE-2007-1888
MOPB-43-2007 CVE-2007-1883
MOPB-44-2007 CVE-2007-1883
MOPB-43-2007 CVE-2007-1890
Comment 47 Mark J. Cox (Product Security) 2007-04-16 04:10:47 EDT
Here is complete mapping for the month, double verified against CVE db.

MOPB-01-2007 CVE-2007-1383
MOPB-02-2007 CVE-2006-1549
MOPB-03-2007 CVE-2007-1285
MOPB-04-2007 CVE-2007-1286
MOPB-05-2007 CVE-2007-0988
BONUS-06-2007 CVE-2007-1370
BONUS-07-2007 CVE-2007-1369
MOPB-08-2007 CVE-2007-1287
MOPB-09-2007 CVE-2007-1381
MOPB-10-2007 CVE-2007-1380
MOPB-11-2007 CVE-2006-0908
BONUS-12-2007 CVE-2007-1359
MOPB-13-2007 CVE-2007-1378 CVE-2007-1379
MOPB-14-2007 CVE-2007-1375
MOPB-15-2007 CVE-2007-1376
MOPB-16-2007 CVE-2007-1399
MOPB-17-2007 CVE-2007-1452
MOPB-18-2007 CVE-2007-1454
MOPB-19-2007 CVE-2007-1453
MOPB-20-2007 CVE-2007-1460
MOPB-21-2007 CVE-2007-1461
MOPB-22-2007 CVE-2007-1521
MOPB-23-2007 CVE-2007-1522
MOPB-24-2007 CVE-2007-1484
MOPB-25-2007 CVE-2007-1584
MOPB-26-2007 CVE-2007-1583
MOPB-27-2007 CVE-2007-1582
MOPB-28-2007 CVE-2007-1581
MOPB-29-2007 CVE-2007-1649
MOPB-30-2007 CVE-2007-1700
MOPB-31-2007 CVE-2007-1701
MOPB-32-2007 CVE-2007-1711
MOPB-33-2007 CVE-2007-1717
MOPB-34-2007 CVE-2007-1718
MOPB-35-2007 CVE-2007-1777
MOPB-36-2007 CVE-2007-1835
MOPB-37-2007 CVE-2007-1883
MOPB-38-2007 CVE-2007-1884
MOPB-39-2007 CVE-2007-1885 CVE-2007-1886
MOPB-40-2007 CVE-2007-1825
MOPB-41-2007 CVE-2007-1887 CVE-2007-1888
MOPB-42-2007 CVE-2007-1824
MOPB-43-2007 CVE-2007-1889 CVE-2007-1890
MOPB-44-2007 CVE-2007-1889
MOPB-45-2007 CVE-2007-1900
Comment 50 Red Hat Bugzilla 2007-04-16 11:33:05 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2007-0155.html

Note You need to log in before you can comment on or make changes to this bug.