Bug 662707 – CVE-2006-7243 php: paths with NULL character were considered valid

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 662707 - (CVE-2006-7243) CVE-2006-7243 php: paths with NULL character were considered valid

Summary:	CVE-2006-7243 php: paths with NULL character were considered valid

Status:	CLOSED ERRATA

Aliases:	CVE-2006-7243

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20061218,repor...
Keywords:	Reopened, Security

Duplicates:	820101 (view as bug list)
Depends On:	958614 988714 1067646 1067647
Blocks:	927185 952520 974906
	Show dependency tree / graph

Reported:	2010-12-13 11:45 EST by Vincent Danen
Modified:	2015-05-26 17:35 EDT (History)
CC List:	15 users (show)

See Also:
Fixed In Version:	php 5.3.4
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2014-09-04 14:59:59 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2013:1307	normal	SHIPPED_LIVE	Moderate: php53 security, bug fix and enhancement update	2013-09-30 20:31:22 EDT
Red Hat Product Errata	RHSA-2013:1615	normal	SHIPPED_LIVE	Moderate: php security, bug fix, and enhancement update	2013-11-20 16:38:52 EST
Red Hat Product Errata	RHSA-2014:0311	normal	SHIPPED_LIVE	Critical: php security update	2014-03-18 19:43:38 EDT

Groups: None (edit)

Description Vincent Danen 2010-12-13 11:45:35 EST

It was reported [1],[2] that PHP would accept filenames with a NULL character in the string, and silently truncate anything after the NULL character.  This could lead to unexpected results and could possibly disclose the existence of certain system files.  This was initially reported against the file_exists() function, but a number of other functions were changed to prevent PHP from considering paths with a NULL character as being valid [2].

This has been corrected in the upstream 5.3.4 release [3].

[1] http://bugs.php.net/39863
[2] http://www.madirish.net/?article=436
[3] http://svn.php.net/viewvc/?view=revision&amp;revision=305507
[4] http://www.php.net/archive/2010.php#id2010-12-10-1

Comment 3 Huzaifa S. Sidhpurwala 2010-12-28 03:54:23 EST


*** This bug has been marked as a duplicate of bug 169857 ***

Comment 4 Jan Lieskovsky 2012-05-09 05:27:50 EDT

*** Bug 820101 has been marked as a duplicate of this bug. ***

Comment 7 Robert Scheck 2013-05-06 08:16:42 EDT

ownCloud 5.0.5 setup complains that a fully RHEL 6 is vulnerable to this. Not
very nice - even this is just moderate. Any plans to fix this?

Comment 8 Robert Scheck 2013-05-13 07:39:48 EDT

Cross-filed case 00836562 in the Red Hat customer portal.

Comment 11 errata-xmlrpc 2013-09-30 18:11:52 EDT

This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:1307 https://rhn.redhat.com/errata/RHSA-2013-1307.html

Comment 12 Huzaifa S. Sidhpurwala 2013-10-01 00:43:04 EDT

Statement:

(none)

Comment 14 errata-xmlrpc 2013-11-21 06:16:37 EST

This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:1615 https://rhn.redhat.com/errata/RHSA-2013-1615.html

Comment 19 errata-xmlrpc 2014-03-18 15:45:24 EDT

This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2014:0311 https://rhn.redhat.com/errata/RHSA-2014-0311.html

Comment 20 Tomas Hoger 2014-03-18 17:07:24 EDT

Thank to Remi Collet for pointing out that parts of the upstream patch are applicable to additional packages available in EPEL-5.  Those are either for modules that were not part of PHP upstream in version 5.1.6, or that are not built in Red Hat Enterprise Linux 5 packages.

php-pecl-zip
php-pecl-fileinfo
php-extras (tidy module)

CCing respective owners.

Comment 21 Remi Collet 2014-03-19 04:29:34 EDT

zip: http://pkgs.fedoraproject.org/cgit/php-pecl-zip.git/commit/?h=el5&id=3c94f430d28fe042709348721d92d21b87640301

fileinfo: http://pkgs.fedoraproject.org/cgit/php-pecl-Fileinfo.git/commit/?h=el5&id=b97721c3170163d79527c265f02258e5bc8bbd99

tidy: http://pkgs.fedoraproject.org/cgit/php-extras.git/commit/?h=el5&id=b704d7895d947fcb040393df6cc21c9f2c8572d5

Build + update will come ASAP.

Note You need to log in before you can comment on or make changes to this bug.