Red Hat Bugzilla – Bug 445003
CVE-2008-0599 php: buffer overflow in a CGI path translation
Last modified: 2010-03-29 05:45:56 EDT
From the PHP 5.2.6 changelog:
* Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh.
The fix for this is here:
This issue seems to have been introduced in the following commit:
Affected code first occurred in released PHP version 5.2.3.
In previous versions, env_path_info was not checked to be non-NULL, possibly
causing crash of php interpreter launched to handle CGI request (unlikely, as
PATH_INFO environment variable is set by web server).
Whether or not PATH_INFO is present in the environment is under the control of
the remote user.
But this code path can only be reached if DOCUMENT_ROOT is not set (the
preceding "if" condition on env_document_root). That will never happen if
/usr/bin/php-cgi is being executed via httpd mod_cgi.
It does look like it's normal that DOCUMENT_ROOT is not passed through if
php-cgi is being executed via FastCGI, however. In that case, it could cause a
NULL pointer dereference and the php-cgi process would be recycled by the
fastcgi parent; a very minor DoS. Not sure if we actually ship any FastCGI
So I'd say, this is severity=Low.
This issue does not affect the version of PHP as shipped with Red Hat Enterprise
Linux 2.1, 3, 4, or 5.
php-5.2.6-2.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
php-5.2.6-2.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.