Bug 445003 (CVE-2008-0599) - CVE-2008-0599 php: buffer overflow in a CGI path translation
Summary: CVE-2008-0599 php: buffer overflow in a CGI path translation
Alias: CVE-2008-0599
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 445925
TreeView+ depends on / blocked
Reported: 2008-05-02 17:59 UTC by Josh Bressers
Modified: 2019-09-29 12:24 UTC (History)
1 user (show)

Fixed In Version: 5.2.6-2.fc9
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2010-03-29 09:45:56 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0505 0 normal SHIPPED_LIVE Moderate: Red Hat Application Stack v2.1 security and enhancement update 2008-07-02 13:15:28 UTC

Description Josh Bressers 2008-05-02 17:59:50 UTC
From the PHP 5.2.6 changelog:
* Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh.

The fix for this is here:

Comment 2 Tomas Hoger 2008-05-05 08:03:00 UTC
This issue seems to have been introduced in the following commit:


Affected code first occurred in released PHP version 5.2.3.

In previous versions, env_path_info was not checked to be non-NULL, possibly
causing crash of php interpreter launched to handle CGI request (unlikely, as
PATH_INFO environment variable is set by web server).

Comment 3 Joe Orton 2008-05-06 10:32:18 UTC
Whether or not PATH_INFO is present in the environment is under the control of
the remote user.

But this code path can only be reached if DOCUMENT_ROOT is not set (the
preceding "if" condition on env_document_root).  That will never happen if
/usr/bin/php-cgi is being executed via httpd mod_cgi.

It does look like it's normal that DOCUMENT_ROOT is not passed through if
php-cgi is being executed via FastCGI, however.  In that case, it could cause a
NULL pointer dereference and the php-cgi process would be recycled by the
fastcgi parent; a very minor DoS.  Not sure if we actually ship any FastCGI
servers, though.

So I'd say, this is severity=Low.

Comment 5 Mark J. Cox 2008-05-20 07:49:55 UTC
This issue does not affect the version of PHP as shipped with Red Hat Enterprise
Linux 2.1, 3, 4, or 5.

Comment 7 Fedora Update System 2008-06-20 19:08:19 UTC
php-5.2.6-2.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2008-06-20 19:09:29 UTC
php-5.2.6-2.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.