Bug 445003 - (CVE-2008-0599) CVE-2008-0599 php: buffer overflow in a CGI path translation
CVE-2008-0599 php: buffer overflow in a CGI path translation
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
source=php,reported=20080502,public=2...
: Reopened, Security
Depends On: 445925
Blocks:
  Show dependency treegraph
 
Reported: 2008-05-02 13:59 EDT by Josh Bressers
Modified: 2010-03-29 05:45 EDT (History)
1 user (show)

See Also:
Fixed In Version: 5.2.6-2.fc9
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-03-29 05:45:56 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Josh Bressers 2008-05-02 13:59:50 EDT
From the PHP 5.2.6 changelog:
* Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh.

The fix for this is here:
http://cvs.php.net/viewvc.cgi/php-src/sapi/cgi/cgi_main.c?r1=1.267.2.15.2.50.2.12&r2=1.267.2.15.2.50.2.13&diff_format=u
Comment 2 Tomas Hoger 2008-05-05 04:03:00 EDT
This issue seems to have been introduced in the following commit:

http://cvs.php.net/viewvc.cgi/php-src/sapi/cgi/cgi_main.c?diff_format=u&view=diff&r1=1.323&r2=1.324

Affected code first occurred in released PHP version 5.2.3.

In previous versions, env_path_info was not checked to be non-NULL, possibly
causing crash of php interpreter launched to handle CGI request (unlikely, as
PATH_INFO environment variable is set by web server).
Comment 3 Joe Orton 2008-05-06 06:32:18 EDT
Whether or not PATH_INFO is present in the environment is under the control of
the remote user.

But this code path can only be reached if DOCUMENT_ROOT is not set (the
preceding "if" condition on env_document_root).  That will never happen if
/usr/bin/php-cgi is being executed via httpd mod_cgi.

It does look like it's normal that DOCUMENT_ROOT is not passed through if
php-cgi is being executed via FastCGI, however.  In that case, it could cause a
NULL pointer dereference and the php-cgi process would be recycled by the
fastcgi parent; a very minor DoS.  Not sure if we actually ship any FastCGI
servers, though.

So I'd say, this is severity=Low.
Comment 5 Mark J. Cox (Product Security) 2008-05-20 03:49:55 EDT
This issue does not affect the version of PHP as shipped with Red Hat Enterprise
Linux 2.1, 3, 4, or 5.
Comment 7 Fedora Update System 2008-06-20 15:08:19 EDT
php-5.2.6-2.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2008-06-20 15:09:29 EDT
php-5.2.6-2.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.