Bug 285881 (CVE-2007-4782) - CVE-2007-4782 php crash in glob() and fnmatch() functions
Summary: CVE-2007-4782 php crash in glob() and fnmatch() functions
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2007-4782
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://nvd.nist.gov/nvd.cfm?cvename=C...
Whiteboard:
: 382451 (view as bug list)
Depends On: 445919 445920 445921 445922 445923 445924 445925
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-09-11 13:12 UTC by Tomas Hoger
Modified: 2019-09-29 12:21 UTC (History)
3 users (show)

Fixed In Version: 5.2.6-2.fc8
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-03-29 08:28:30 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0505 normal SHIPPED_LIVE Moderate: Red Hat Application Stack v2.1 security and enhancement update 2008-07-02 13:15:28 UTC
Red Hat Product Errata RHSA-2008:0544 normal SHIPPED_LIVE Moderate: php security update 2008-07-16 09:46:17 UTC
Red Hat Product Errata RHSA-2008:0545 normal SHIPPED_LIVE Moderate: php security and bug fix update 2008-07-16 09:57:19 UTC
Red Hat Product Errata RHSA-2008:0582 normal SHIPPED_LIVE Moderate: php security update 2008-07-22 12:30:50 UTC

Description Tomas Hoger 2007-09-11 13:12:43 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-4782 to the following vulnerability:

PHP before 5.2.3 allows context-dependent attackers to cause a denial of service (application crash) via (1) a long string in the pattern parameter to the glob function; or (2) a long string in the string parameter to the fnmatch function, accompanied by a pattern parameter value with undefined characteristics, as demonstrated by a "*[1]e" value.  NOTE: this might not be a vulnerability in most web server environments that support multiple threads, unless these issues can be demonstrated for code execution.

References:

http://www.securityfocus.com/archive/1/archive/1/478630/100/0/threaded
http://www.securityfocus.com/archive/1/archive/1/478626/100/0/threaded
http://www.securityfocus.com/archive/1/478726/100/0/threaded

Comment 1 Josh Bressers 2007-09-12 18:52:35 UTC
We do not consider these to be security issues. For more details see
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169857#c1
and http://www.php.net/security-note.php


Comment 3 Tomas Hoger 2007-11-29 15:15:17 UTC
*** Bug 382451 has been marked as a duplicate of this bug. ***

Comment 6 Tomas Hoger 2008-06-12 12:16:11 UTC
Re-opening this bug.  We will be addressing fnmatch() issue in the next PHP
update, as the argument passed to it may be untrusted user data.  Documentation
for the functions suggests usage of fnmatch() as a light-weight alternative to
regular expression handling functions for implementing pattern search
functionality in the PHP applications.

http://www.php.net/manual/en/function.fnmatch.php

Comment 7 Fedora Update System 2008-06-14 04:20:08 UTC
php-5.2.6-2.fc8 has been pushed to the Fedora 8 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update php'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F8/FEDORA-2008-3864

Comment 8 Fedora Update System 2008-06-20 19:08:16 UTC
php-5.2.6-2.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Tomas Hoger 2011-04-13 18:46:02 UTC
(In reply to comment #2)
> Issues were addressed in PHP 5.2.5, patches:
> 
> fnmatch:
> http://cvs.php.net/viewvc.cgi/php-src/ext/standard/file.c?r1=1.409.2.6.2.27&r2=1.409.2.6.2.28
> 
> glob:
> http://cvs.php.net/viewvc.cgi/php-src/ext/standard/dir.c?r1=1.147.2.3.2.10&r2=1.147.2.3.2.11

These links no longer work, as upstream moved CVS to using SVN.  Relevant commit in the upstream SVN:
  http://svn.php.net/viewvc?view=revision&revision=242146


Note You need to log in before you can comment on or make changes to this bug.