Common Vulnerabilities and Exposures assigned an identifier CVE-2015-2348 to the following vulnerability: Name: CVE-2015-2348 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2348 Assigned: 20150319 Reference: https://bugs.php.net/bug.php?id=69207 The move_uploaded_file implementation in ext/standard/basic_functions.c in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 truncates a pathname upon encountering a \x00 character, which allows remote attackers to bypass intended extension restrictions and create files with unexpected names via a crafted second argument. NOTE: this vulnerability exists because of an incomplete fix for CVE-2006-7243.
Created php tracking bugs for this issue: Affects: fedora-all [bug 1207702]
PHP Fix http://git.php.net/?p=php-src.git;a=commit;h=1291d6bbee93b6109eb07e8f7916ff1b7fcc13e1
PHP 5.3.3 in RHEL is not affected, as already fixed by php-5.3.3-CVE-2006-7243.patch @@ -5811,6 +5834,14 @@ PHP_FUNCTION(move_uploaded_file) RETURN_FALSE; } + if (strlen(path) != path_len) { + RETURN_FALSE; + } + + if (strlen(new_path) != new_path_len) { + RETURN_FALSE; + } + VCWD_UNLINK(new_path); if (VCWD_RENAME(path, new_path) == 0) { successful = 1; So only affects PHP 5.4+ Notice, the check for 'path' is not need as already checked by zend_hash_exists. So upstream patch use "p" only for 'new_path'
Ok, thank you for pointing this out. So rather than this being an incomplete CVE-2006-7243 fix issue, it's more of a 5.4+ regression of part of the CVE-2006-7243 fix. Similar to CVE-2014-5120, and likely with similar cause to what's described in bug 1132793 comment 7 and bug 1132793 comment 8. The fix noted in comment 8 above is used in php and php53 packages in Red Hat Enterprise Linux 5 and 6, hence those are not affected by this issue. The php packages in Red Hat Enterprise Linux 7 and Red Hat Software Collections 1 are based on upstream 5.4 or 5.5 and are therefore affected. Statement: This issue does not affect the current php and php53 packages in Red Hat Enterprise Linux 5 and 6, as it was previously corrected as part of the fix for CVE-2006-7243.
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.5 EUS Via RHSA-2015:1066 https://rhn.redhat.com/errata/RHSA-2015-1066.html
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.5 EUS Via RHSA-2015:1053 https://rhn.redhat.com/errata/RHSA-2015-1053.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:1135 https://rhn.redhat.com/errata/RHSA-2015-1135.html