Bug 783350 (CVE-2012-0807) - CVE-2012-0807 php-suhosin: stack based buffer overflow in transparent cookie encryption
Summary: CVE-2012-0807 php-suhosin: stack based buffer overflow in transparent cookie ...
Status: CLOSED NOTABUG
Alias: CVE-2012-0807
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20120119,repor...
Keywords: Security
Depends On: 783351 783352 783353
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-01-20 05:02 UTC by Vincent Danen
Modified: 2016-10-14 13:00 UTC (History)
2 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2016-10-14 13:00:39 UTC


Attachments (Terms of Use)

Description Vincent Danen 2012-01-20 05:02:34 UTC
It was reported [1] that a flaw in how the PHP Suhosin extension handled transparent cookie encryption could possibly lead to arbitrary code execution in certain situations.

Quoting from the report:

During an internal audit of the Suhosin PHP extension, which is
often confused with the Suhosin PHP Patch, although they are not
the same, a possible stack based buffer overflow inside the
transparent cookie encryption feature was discovered.

If successfully exploited this vulnerability can lead to arbitrary
remote code execution. However further investigation into the
vulnerability revealed that it can only be triggered if the admin
has not only activated transparent cookie encryption, but also
explicitly disabled several other security features of Suhosin.
In addition to that remote exploitation requires a PHP application
that puts unfiltered user input into a call to the header()
function that sends a Set-Cookie header.

Furthermore most modern unix systems compile the Suhosin extension
with the FORTIFY_SOURCE flag, which will detect the possible buffer
overflow and abort execution before something bad can happen.


This can only ne done with the feature is enabled (suhosin.cookie.encrypt).  This is corrected in upstream 0.9.33 [2].

[1] http://seclists.org/fulldisclosure/2012/Jan/295
[2] https://github.com/stefanesser/suhosin/commit/73b1968ee30f6d9d2dae497544b910e68e114bfa

Comment 1 Vincent Danen 2012-01-20 05:04:12 UTC
Created php-suhosin tracking bugs for this issue

Affects: fedora-15 [bug 783351]
Affects: epel-5 [bug 783352]
Affects: epel-6 [bug 783353]

Comment 2 Kurt Seifried 2012-01-24 20:44:20 UTC
Added CVE as per http://www.openwall.com/lists/oss-security/2012/01/24/11

Comment 3 Remi Collet 2016-10-14 13:00:39 UTC
Closing as the package is no more in the repo.


Note You need to log in before you can comment on or make changes to this bug.