Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 674699 - (CVE-2011-0752) CVE-2011-0752 php: extract() can overwrite $GLOBALS and $this when using EXTR_OVERWRITE
CVE-2011-0752 php: extract() can overwrite $GLOBALS and $this when using EXTR...
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
public=20101208,reported=20101213,sou...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2011-02-02 18:27 EST by Vincent Danen
Modified: 2015-08-19 05:03 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-02-28 13:02:55 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Vincent Danen 2011-02-02 18:27:23 EST 
Common Vulnerabilities and Exposures assigned an identifier CVE-2011-0752 to
the following vulnerability:

Name: CVE-2011-0752
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0752
Assigned: 20110202
Reference: MLIST:[oss-security] 20101213 Re: Issues without CVE names in PHP 5.3.4/5.2.15 release
Reference: URL: http://www.openwall.com/lists/oss-security/2010/12/13/4
Reference: CONFIRM: http://www.php.net/ChangeLog-5.php
Reference: CONFIRM: http://www.php.net/archive/2010.php#id2010-12-10-1
Reference: CONFIRM: http://www.php.net/releases/5_2_15.php

The extract function in PHP before 5.2.15 does not prevent use of the
EXTR_OVERWRITE parameter to overwrite (1) the GLOBALS superglobal
array and (2) the this variable, which allows context-dependent
attackers to bypass intended access restrictions by modifying data
structures that were not intended to depend on external input, a
related issue to CVE-2005-2691 and CVE-2006-3758.


Upstream has indicated [1] that listing this under the security fixes in 5.2.15 was a mistake.  The 5.3.4 release that also fixes this bug lists it under "Core" [2], rather than under security fixes.

[1] http://www.openwall.com/lists/oss-security/2010/12/13/6
[2] http://www.php.net/ChangeLog-5.php#5.3.4
Comment 1 Vincent Danen 2011-02-02 18:36:40 EST 
Upstream commit:

http://svn.php.net/viewvc/php/php-src/trunk/ext/standard/array.c?r1=305011&r2=305570

Doesn't look to affect PHP 5.1.x at all.
Comment 4 Tomas Hoger 2011-02-28 13:02:55 EST 
Closing as not-a-security bug as explained in comment #2.

For posterity, this was fixed in php53 in RHEL-5 before these packages were added in 5.6 (bug #655330) and is planned to be fixed as non-security bug in php update in RHEL-6.1 (bug #655118).
Comment 5 Vincent Danen 2011-07-27 13:12:16 EDT 
Statement:

We do not consider this flaw to be a security issue as it is only exploitable by the script author. No trust boundary is crossed.

This issue did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 3, 4, or 5 (php). This issue was addressed in the php53 packages as shipped in Red Hat Enterprise Linux 5 before their first release in Red Hat Enterprise Linux 5.6, and it was addressed in the php package in Red Hat Enterprise Linux 6 via RHBA-2011:0615.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.