Bug 445003 (CVE-2008-0599) - CVE-2008-0599 php: buffer overflow in a CGI path translation
Summary: CVE-2008-0599 php: buffer overflow in a CGI path translation
Status: CLOSED ERRATA
Alias: CVE-2008-0599
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
(Show other bugs)
Version: unspecified
Hardware: All Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: source=php,reported=20080502,public=2...
Keywords: Reopened, Security
Depends On: 445925
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-05-02 17:59 UTC by Josh Bressers
Modified: 2010-03-29 09:45 UTC (History)
1 user (show)

Fixed In Version: 5.2.6-2.fc9
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-03-29 09:45:56 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0505 normal SHIPPED_LIVE Moderate: Red Hat Application Stack v2.1 security and enhancement update 2008-07-02 13:15:28 UTC

Description Josh Bressers 2008-05-02 17:59:50 UTC
From the PHP 5.2.6 changelog:
* Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh.

The fix for this is here:
http://cvs.php.net/viewvc.cgi/php-src/sapi/cgi/cgi_main.c?r1=1.267.2.15.2.50.2.12&r2=1.267.2.15.2.50.2.13&diff_format=u

Comment 2 Tomas Hoger 2008-05-05 08:03:00 UTC
This issue seems to have been introduced in the following commit:

http://cvs.php.net/viewvc.cgi/php-src/sapi/cgi/cgi_main.c?diff_format=u&view=diff&r1=1.323&r2=1.324

Affected code first occurred in released PHP version 5.2.3.

In previous versions, env_path_info was not checked to be non-NULL, possibly
causing crash of php interpreter launched to handle CGI request (unlikely, as
PATH_INFO environment variable is set by web server).

Comment 3 Joe Orton 2008-05-06 10:32:18 UTC
Whether or not PATH_INFO is present in the environment is under the control of
the remote user.

But this code path can only be reached if DOCUMENT_ROOT is not set (the
preceding "if" condition on env_document_root).  That will never happen if
/usr/bin/php-cgi is being executed via httpd mod_cgi.

It does look like it's normal that DOCUMENT_ROOT is not passed through if
php-cgi is being executed via FastCGI, however.  In that case, it could cause a
NULL pointer dereference and the php-cgi process would be recycled by the
fastcgi parent; a very minor DoS.  Not sure if we actually ship any FastCGI
servers, though.

So I'd say, this is severity=Low.


Comment 5 Mark J. Cox 2008-05-20 07:49:55 UTC
This issue does not affect the version of PHP as shipped with Red Hat Enterprise
Linux 2.1, 3, 4, or 5.

Comment 7 Fedora Update System 2008-06-20 19:08:19 UTC
php-5.2.6-2.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2008-06-20 19:09:29 UTC
php-5.2.6-2.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.