Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 539529 - (CVE-2009-3557, CVE-2009-3558, CVE-2009-3559) php: safe_mode / open_basedir security fixes in 5.3.1
php: safe_mode / open_basedir security fixes in 5.3.1
Status: CLOSED DUPLICATE of bug 169857
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
source=internet,impact=none,reported=...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-11-20 08:43 EST by Tomas Hoger
Modified: 2009-11-23 12:52 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-11-20 08:53:59 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Tomas Hoger 2009-11-20 08:43:53 EST 
New PHP upstream release 5.3.1 fixes couple of security issues:

  http://www.php.net/releases/5_3_1.php
  http://www.php.net/ChangeLog-5.php#5.3.1

Mail announcement with CVE ids:

  http://news.php.net/php.announce/79

  - Fixed a safe_mode bypass in tempnam() identified by Grzegorz Stachowiak.
    (CVE-2009-3557, Rasmus)
  - Fixed a open_basedir bypass in posix_mkfifo() identified by Grzegorz
    Stachowiak. (CVE-2009-3558, Rasmus)
  - Fixed bug #50063 (safe_mode_include_dir fails). (CVE-2009-3559,
    Johannes, christian at elmerot dot se)

Note: CVE-2009-3292 / CVE-2009-3294 were previously fixed in 5.2.11.
Comment 1 Tomas Hoger 2009-11-20 08:47:17 EST 
tempnam() safe_mode bypass is covered by the following advisory:

  http://securityreason.com/securityalert/6601

uid checks for target directory were not performed by tempnam(), upstream fix:

  http://svn.php.net/viewvc?view=revision&revision=288945
Comment 2 Tomas Hoger 2009-11-20 08:48:44 EST 
posix_mkfifo() open_basedir bypass is covered by the following advisory:

  http://securityreason.com/securityalert/6600

Upstream fix:

  http://svn.php.net/viewvc?view=revision&revision=288943
Comment 3 Tomas Hoger 2009-11-20 08:52:43 EST 
safe_mode_include_dir fails problem is detailed in the upstream bug:

  http://bugs.php.net/bug.php?id=50063

According to the bug, this issue is specific to 5.3.x and does not affect previous versions.

Upstream fix:

  http://svn.php.net/viewvc/?view=revision&revision=290578

This problem is also not a security flaw, as safe mode uid check was applied where it shouldn't have been.  So the access was denied where it should have been granted.
Comment 4 Tomas Hoger 2009-11-20 08:53:59 EST 
CVE-2009-3559 is not security, CVE-2009-3557/CVE-2009-3558 are safe_mode / open_basedir bypass issues, closing as dupe of bug #169857.

*** This bug has been marked as a duplicate of bug 169857 ***
Comment 5 Jan Lieskovsky 2009-11-23 12:52:56 EST 
Mitre's CVE-2009-3559 entry:
----------------------------

** DISPUTED ** main/streams/plain_wrapper.c in PHP 5.3.x before 5.3.1
does not recognize the safe_mode_include_dir directive, which allows
context-dependent attackers to have an unknown impact by triggering
the failure of PHP scripts that perform include or require operations,
as demonstrated by a script that attempts to perform a require_once on
a file in a standard library directory. NOTE: a reliable third party
reports that this is not a vulnerability.

References:
-----------
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3559
http://www.openwall.com/lists/oss-security/2009/11/20/2
http://www.openwall.com/lists/oss-security/2009/11/20/3
http://www.openwall.com/lists/oss-security/2009/11/20/5
http://news.php.net/php.announce/79
http://bugs.php.net/bug.php?id=50063
http://www.php.net/ChangeLog-5.php
http://www.php.net/releases/5_3_1.php
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.