New PHP upstream release 5.3.1 fixes couple of security issues:
Mail announcement with CVE ids:
- Fixed a safe_mode bypass in tempnam() identified by Grzegorz Stachowiak.
- Fixed a open_basedir bypass in posix_mkfifo() identified by Grzegorz
Stachowiak. (CVE-2009-3558, Rasmus)
- Fixed bug #50063 (safe_mode_include_dir fails). (CVE-2009-3559,
Johannes, christian at elmerot dot se)
Note: CVE-2009-3292 / CVE-2009-3294 were previously fixed in 5.2.11.
tempnam() safe_mode bypass is covered by the following advisory:
uid checks for target directory were not performed by tempnam(), upstream fix:
posix_mkfifo() open_basedir bypass is covered by the following advisory:
safe_mode_include_dir fails problem is detailed in the upstream bug:
According to the bug, this issue is specific to 5.3.x and does not affect previous versions.
This problem is also not a security flaw, as safe mode uid check was applied where it shouldn't have been. So the access was denied where it should have been granted.
CVE-2009-3559 is not security, CVE-2009-3557/CVE-2009-3558 are safe_mode / open_basedir bypass issues, closing as dupe of bug #169857.
*** This bug has been marked as a duplicate of bug 169857 ***
Mitre's CVE-2009-3559 entry:
** DISPUTED ** main/streams/plain_wrapper.c in PHP 5.3.x before 5.3.1
does not recognize the safe_mode_include_dir directive, which allows
context-dependent attackers to have an unknown impact by triggering
the failure of PHP scripts that perform include or require operations,
as demonstrated by a script that attempts to perform a require_once on
a file in a standard library directory. NOTE: a reliable third party
reports that this is not a vulnerability.