Bug 783350 - (CVE-2012-0807) CVE-2012-0807 php-suhosin: stack based buffer overflow in transparent cookie encryption
CVE-2012-0807 php-suhosin: stack based buffer overflow in transparent cookie ...
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 783351 783352 783353
  Show dependency treegraph
Reported: 2012-01-20 00:02 EST by Vincent Danen
Modified: 2016-10-14 09:00 EDT (History)
2 users (show)

See Also:
Fixed In Version: php-suhosin 0.9.33
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-10-14 09:00:39 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2012-01-20 00:02:34 EST
It was reported [1] that a flaw in how the PHP Suhosin extension handled transparent cookie encryption could possibly lead to arbitrary code execution in certain situations.

Quoting from the report:

During an internal audit of the Suhosin PHP extension, which is
often confused with the Suhosin PHP Patch, although they are not
the same, a possible stack based buffer overflow inside the
transparent cookie encryption feature was discovered.

If successfully exploited this vulnerability can lead to arbitrary
remote code execution. However further investigation into the
vulnerability revealed that it can only be triggered if the admin
has not only activated transparent cookie encryption, but also
explicitly disabled several other security features of Suhosin.
In addition to that remote exploitation requires a PHP application
that puts unfiltered user input into a call to the header()
function that sends a Set-Cookie header.

Furthermore most modern unix systems compile the Suhosin extension
with the FORTIFY_SOURCE flag, which will detect the possible buffer
overflow and abort execution before something bad can happen.

This can only ne done with the feature is enabled (suhosin.cookie.encrypt).  This is corrected in upstream 0.9.33 [2].

[1] http://seclists.org/fulldisclosure/2012/Jan/295
[2] https://github.com/stefanesser/suhosin/commit/73b1968ee30f6d9d2dae497544b910e68e114bfa
Comment 1 Vincent Danen 2012-01-20 00:04:12 EST
Created php-suhosin tracking bugs for this issue

Affects: fedora-15 [bug 783351]
Affects: epel-5 [bug 783352]
Affects: epel-6 [bug 783353]
Comment 2 Kurt Seifried 2012-01-24 15:44:20 EST
Added CVE as per http://www.openwall.com/lists/oss-security/2012/01/24/11
Comment 3 Remi Collet 2016-10-14 09:00:39 EDT
Closing as the package is no more in the repo.

Note You need to log in before you can comment on or make changes to this bug.