Bug 539529 (CVE-2009-3557, CVE-2009-3558, CVE-2009-3559) - php: safe_mode / open_basedir security fixes in 5.3.1
Summary: php: safe_mode / open_basedir security fixes in 5.3.1
Keywords:
Status: CLOSED DUPLICATE of bug 169857
Alias: CVE-2009-3557, CVE-2009-3558, CVE-2009-3559
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-11-20 13:43 UTC by Tomas Hoger
Modified: 2019-09-29 12:33 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-11-20 13:53:59 UTC
Embargoed:

Attachments (Terms of Use)

Description Tomas Hoger 2009-11-20 13:43:53 UTC 
New PHP upstream release 5.3.1 fixes couple of security issues:

  http://www.php.net/releases/5_3_1.php
  http://www.php.net/ChangeLog-5.php#5.3.1

Mail announcement with CVE ids:

  http://news.php.net/php.announce/79

  - Fixed a safe_mode bypass in tempnam() identified by Grzegorz Stachowiak.
    (CVE-2009-3557, Rasmus)
  - Fixed a open_basedir bypass in posix_mkfifo() identified by Grzegorz
    Stachowiak. (CVE-2009-3558, Rasmus)
  - Fixed bug #50063 (safe_mode_include_dir fails). (CVE-2009-3559,
    Johannes, christian at elmerot dot se)

Note: CVE-2009-3292 / CVE-2009-3294 were previously fixed in 5.2.11.
Comment 1 Tomas Hoger 2009-11-20 13:47:17 UTC 
tempnam() safe_mode bypass is covered by the following advisory:

  http://securityreason.com/securityalert/6601

uid checks for target directory were not performed by tempnam(), upstream fix:

  http://svn.php.net/viewvc?view=revision&revision=288945
Comment 2 Tomas Hoger 2009-11-20 13:48:44 UTC 
posix_mkfifo() open_basedir bypass is covered by the following advisory:

  http://securityreason.com/securityalert/6600

Upstream fix:

  http://svn.php.net/viewvc?view=revision&revision=288943
Comment 3 Tomas Hoger 2009-11-20 13:52:43 UTC 
safe_mode_include_dir fails problem is detailed in the upstream bug:

  http://bugs.php.net/bug.php?id=50063

According to the bug, this issue is specific to 5.3.x and does not affect previous versions.

Upstream fix:

  http://svn.php.net/viewvc/?view=revision&revision=290578

This problem is also not a security flaw, as safe mode uid check was applied where it shouldn't have been.  So the access was denied where it should have been granted.
Comment 4 Tomas Hoger 2009-11-20 13:53:59 UTC 
CVE-2009-3559 is not security, CVE-2009-3557/CVE-2009-3558 are safe_mode / open_basedir bypass issues, closing as dupe of bug #169857.

*** This bug has been marked as a duplicate of bug 169857 ***
Comment 5 Jan Lieskovsky 2009-11-23 17:52:56 UTC 
Mitre's CVE-2009-3559 entry:
----------------------------

** DISPUTED ** main/streams/plain_wrapper.c in PHP 5.3.x before 5.3.1
does not recognize the safe_mode_include_dir directive, which allows
context-dependent attackers to have an unknown impact by triggering
the failure of PHP scripts that perform include or require operations,
as demonstrated by a script that attempts to perform a require_once on
a file in a standard library directory. NOTE: a reliable third party
reports that this is not a vulnerability.

References:
-----------
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3559
http://www.openwall.com/lists/oss-security/2009/11/20/2
http://www.openwall.com/lists/oss-security/2009/11/20/3
http://www.openwall.com/lists/oss-security/2009/11/20/5
http://news.php.net/php.announce/79
http://bugs.php.net/bug.php?id=50063
http://www.php.net/ChangeLog-5.php
http://www.php.net/releases/5_3_1.php
Note You need to log in before you can comment on or make changes to this bug.