445006 – (CVE-2008-2051) CVE-2008-2051 PHP multibyte shell escape flaw

Bug 445006 (CVE-2008-2051) - CVE-2008-2051 PHP multibyte shell escape flaw

Summary: CVE-2008-2051 PHP multibyte shell escape flaw

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2008-2051
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	445917 445919 445920 445921 445922 445923 445924 445925
Blocks:
TreeView+	depends on / blocked

Reported:	2008-05-02 18:04 UTC by Josh Bressers
Modified:	2019-09-29 12:24 UTC (History)
CC List:	3 users (show)
Fixed In Version:	5.2.6-2.fc9
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-03-29 09:46:33 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2008:0505	normal	SHIPPED_LIVE	Moderate: Red Hat Application Stack v2.1 security and enhancement update	2008-07-02 13:15:28 UTC
Red Hat Product Errata	RHSA-2008:0544	normal	SHIPPED_LIVE	Moderate: php security update	2008-07-16 09:46:17 UTC
Red Hat Product Errata	RHSA-2008:0545	normal	SHIPPED_LIVE	Moderate: php security and bug fix update	2008-07-16 09:57:19 UTC
Red Hat Product Errata	RHSA-2008:0546	normal	SHIPPED_LIVE	Moderate: php security update	2008-07-16 09:59:22 UTC
Red Hat Product Errata	RHSA-2008:0582	normal	SHIPPED_LIVE	Moderate: php security update	2008-07-22 12:30:50 UTC

Description Josh Bressers 2008-05-02 18:04:07 UTC

From the PHP 5.2.6 changelog:
* Properly address incomplete multibyte chars inside escapeshellcmd() identified
by Stefan Esser.

The fix for this is here:
http://cvs.php.net/viewvc.cgi/php-src/ext/standard/exec.c?r1=1.113.2.3.2.1.2.3&r2=1.113.2.3.2.1.2.4&diff_format=u

Comment 2 Joe Orton 2008-05-06 13:14:34 UTC

This issue is exploitable if you have a script which:

1) passes untrusted script input to escapeshellcmd (as is the intended use for
that function)

2) runs a shell script using the output from (1) in a "strange" locale.

This does not seem to be exploitable in UTF-8 locales on Linux.  Based on this
analysis I would say rate this Moderate severity.

Comment 3 Tomas Hoger 2008-05-07 11:13:59 UTC

Further detail can be found in Stefan Esser's advisory:

http://www.sektioneins.de/advisories/SE-2008-03.txt

Comment 10 Fedora Update System 2008-06-14 04:19:43 UTC

php-5.2.6-2.fc9 has been pushed to the Fedora 9 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update php'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F9/FEDORA-2008-3606

Comment 11 Fedora Update System 2008-06-20 19:08:22 UTC

php-5.2.6-2.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2008-06-20 19:09:21 UTC

php-5.2.6-2.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Tomas Hoger 2010-03-29 09:46:33 UTC

https://www.redhat.com/security/data/cve/CVE-2008-2051.html

Note You need to log in before you can comment on or make changes to this bug.