Home page logo
/

bugtraq logo Bugtraq mailing list archives

[ MDKSA-2006:122 ] - Updated php packages fix multiple vulnerabilities
From: security () mandriva com
Date: Thu, 13 Jul 2006 11:14:01 -0600


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________
 
 Mandriva Linux Security Advisory                         MDKSA-2006:122
 http://www.mandriva.com/security/
 _______________________________________________________________________
 
 Package : php
 Date    : July 13, 2006
 Affected: 10.2, 2006.0, Corporate 3.0, Multi Network Firewall 2.0
 _______________________________________________________________________
 
 Problem Description:
 
 Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and
 earlier may allow remote attackers to execute arbitrary code via
 malformed image files that trigger the overflows due to improper calls
 to the gdMalloc function. One instance in gd_io_dp.c does not appear to
 be corrected in the embedded copy of GD used in php to build the php-gd
 package. (CVE-2004-0941) 
 
 Integer overflows were reported in the GD Graphics Library (libgd)
 2.0.28, and possibly other versions. These overflows allow remote
 attackers to  cause a denial of service and possibly execute arbitrary
 code via PNG image files with large image rows values that lead to a
 heap-based buffer overflow in the gdImageCreateFromPngCtx() function. 
 PHP, as packaged in Mandriva Linux, contains an embedded copy of the
 GD library, used to build the php-gd package. (CVE-2004-0990)
 
 The c-client library 2000, 2001, or 2004 for PHP 3.x, 4.x, and 5.x,
 when used in applications that accept user-controlled input for the
 mailbox argument to the imap_open function, allow remote attackers to
 obtain access to an IMAP stream data structure and conduct unauthorized
 IMAP actions. (CVE-2006-1017)
 
 Integer overflow in the wordwrap function in string.c in might allow 
 context-dependent attackers to execute arbitrary code via certain long 
 arguments that cause a small buffer to be allocated, which triggers a 
 heap-based buffer overflow in a memcpy function call, a different 
 vulnerability than CVE-2002-1396. (CVE-2006-1990) The previous update
 for this issue did not resolve the issue on 64bit platforms.
 
 The cURL library (libcurl) in PHP 4.4.2 and 5.1.4 allows attackers to
 bypass safe mode and read files via a file:// request containing nul
 characters. (CVE-2006-2563)
 
 Buffer consumption vulnerability in the tempnam function in PHP 5.1.4
 and 4.x before 4.4.3 allows local users to bypass restrictions and
 create PHP files with fixed names in other directories via a pathname
 argument longer than MAXPATHLEN, which prevents a unique string from
 being appended to the filename. (CVE-2006-2660)
 
 The LZW decoding in the gdImageCreateFromGifPtr function in the Thomas 
 Boutell graphics draw (GD) library (aka libgd) 2.0.33 allows remote
 attackers to cause a denial of service (CPU consumption) via malformed
 GIF data that causes an infinite loop.  PHP, as packaged in Mandriva
 Linux, contains an embedded copy of the GD library, used to build the
 php-gd package. (CVE-2006-2906)
 
 The error_log function in PHP allows local users to bypass safe mode
 and open_basedir restrictions via a "php://" or other scheme in the
 third argument, which disables safe mode. (CVE-2006-3011)
 
 An unspecified vulnerability in session.c in PHP before 5.1.3 has
 unknown impact and attack vectors, related to "certain characters in
 session names", including special characters that are frequently
 associated with CRLF injection, SQL injection, and cross-site scripting
 (XSS) vulnerabilities.  NOTE: while the nature of the vulnerability is
 unspecified, it is likely that this is related to a violation of an
 expectation by PHP applications that the session name is alphanumeric,
 as implied in the PHP manual for session_name(). (CVE-2006-3016)
 
 An unspecified vulnerability in PHP before 5.1.3 can prevent a variable
 from being unset even when the unset function is called, which might
 cause the variable's value to be used in security-relevant operations.
 (CVE-2006-3017)
 
 An unspecified vulnerability in the session extension functionality in
 PHP before 5.1.3 has unkown impact and attack vectors related to heap
 corruption. (CVE-2006-3018)
 
 The GD related issues (CVE-2004-0941, CVE-2004-0990, CVE-2006-2906)
 affect only Corporate 3 and Mandrake Network Firewall 2.
 
 The php-curl issue (CVE-2006-2563) affects only Mandriva 2006.0.
 
 Updated packages have been patched to address all these issues.  Once
 these packages have been installed, you will need to restart Apache
 (service httpd restart) in order for the changes to take effect.
 _______________________________________________________________________

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0941
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0990
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1017
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1990
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2563
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2660
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2906
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3011
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3016
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3017
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3018
 _______________________________________________________________________
 
 Updated Packages:
 
 Mandriva Linux 10.2:
 78c38db9594e6f378a541d8656a348cd  10.2/RPMS/libphp_common432-4.3.10-7.14.102mdk.i586.rpm
 20874c0f88c0eabb71227562e7b76d99  10.2/RPMS/php432-devel-4.3.10-7.14.102mdk.i586.rpm
 959e27855da01eeda3bce928b81a505e  10.2/RPMS/php-cgi-4.3.10-7.14.102mdk.i586.rpm
 af8f5d5d30248a0dceeb5f477f243521  10.2/RPMS/php-cli-4.3.10-7.14.102mdk.i586.rpm
 3490de40093a12603e1fa2e52fe44936  10.2/RPMS/php-imap-4.3.10-6.3.102mdk.i586.rpm
 ed6c4147816b189ba23131f30246a953  10.2/SRPMS/php-4.3.10-7.14.102mdk.src.rpm
 396e14746eb0f291e212b2d53bea520c  10.2/SRPMS/php-imap-4.3.10-6.3.102mdk.src.rpm

 Mandriva Linux 10.2/X86_64:
 aea78fff707fcf9313f8ea705fe49304  x86_64/10.2/RPMS/lib64php_common432-4.3.10-7.14.102mdk.x86_64.rpm
 24825f38408b5e17ddb030cb6cafbebc  x86_64/10.2/RPMS/php432-devel-4.3.10-7.14.102mdk.x86_64.rpm
 c01955be46b9ee3c01f34cd3ff96fdd5  x86_64/10.2/RPMS/php-cgi-4.3.10-7.14.102mdk.x86_64.rpm
 7b0ea6ea8a37f89fa00240a88d667a13  x86_64/10.2/RPMS/php-cli-4.3.10-7.14.102mdk.x86_64.rpm
 3f2f4c714be10ca1931be7fab5f16ed7  x86_64/10.2/RPMS/php-imap-4.3.10-6.3.102mdk.x86_64.rpm
 ed6c4147816b189ba23131f30246a953  x86_64/10.2/SRPMS/php-4.3.10-7.14.102mdk.src.rpm
 396e14746eb0f291e212b2d53bea520c  x86_64/10.2/SRPMS/php-imap-4.3.10-6.3.102mdk.src.rpm

 Mandriva Linux 2006.0:
 ac3a35ac0db18fe07aed82c55bc9495c  2006.0/RPMS/libphp5_common5-5.0.4-9.12.20060mdk.i586.rpm
 eddf792e9ac30c60ba29967469c94721  2006.0/RPMS/php-cgi-5.0.4-9.12.20060mdk.i586.rpm
 7ad40230e703fb0dbddb9b6b864305de  2006.0/RPMS/php-cli-5.0.4-9.12.20060mdk.i586.rpm
 847ea3aa279af20470a4e4fc0ccefc7f  2006.0/RPMS/php-curl-5.0.4-1.3.20060mdk.i586.rpm
 e81718f6e31cb7aced9d2ff7462c0b80  2006.0/RPMS/php-devel-5.0.4-9.12.20060mdk.i586.rpm
 188757b3e34afb445a288f4156232b77  2006.0/RPMS/php-fcgi-5.0.4-9.12.20060mdk.i586.rpm
 b8487a338e7c0be6baf08f3231169574  2006.0/RPMS/php-imap-5.0.4-2.3.20060mdk.i586.rpm
 cdda5acab01891036e955b4b89509552  2006.0/SRPMS/php-5.0.4-9.12.20060mdk.src.rpm
 6f59b73dc4ad989fc1cf82981a78447b  2006.0/SRPMS/php-curl-5.0.4-1.3.20060mdk.src.rpm
 1ca1cd0433f93e7a5338d265e5fe31a1  2006.0/SRPMS/php-imap-5.0.4-2.3.20060mdk.src.rpm

 Mandriva Linux 2006.0/X86_64:
 91133e3df28354e321a52b868605f5b4  x86_64/2006.0/RPMS/lib64php5_common5-5.0.4-9.12.20060mdk.x86_64.rpm
 348350bfa9bb17ac01b574d1ce53e212  x86_64/2006.0/RPMS/php-cgi-5.0.4-9.12.20060mdk.x86_64.rpm
 c33ab51b3b82a33140625c1dda6ed397  x86_64/2006.0/RPMS/php-cli-5.0.4-9.12.20060mdk.x86_64.rpm
 070e8e1f3d4a5035cd2ca7b4b9dc6f61  x86_64/2006.0/RPMS/php-curl-5.0.4-1.3.20060mdk.x86_64.rpm
 d1cae6289e3625693902b52730dbf95f  x86_64/2006.0/RPMS/php-devel-5.0.4-9.12.20060mdk.x86_64.rpm
 e8ae1224fab30562d7d66c981893897c  x86_64/2006.0/RPMS/php-fcgi-5.0.4-9.12.20060mdk.x86_64.rpm
 991c3a4f7cb708aa3c2f9ef4b525017e  x86_64/2006.0/RPMS/php-imap-5.0.4-2.3.20060mdk.x86_64.rpm
 cdda5acab01891036e955b4b89509552  x86_64/2006.0/SRPMS/php-5.0.4-9.12.20060mdk.src.rpm
 6f59b73dc4ad989fc1cf82981a78447b  x86_64/2006.0/SRPMS/php-curl-5.0.4-1.3.20060mdk.src.rpm
 1ca1cd0433f93e7a5338d265e5fe31a1  x86_64/2006.0/SRPMS/php-imap-5.0.4-2.3.20060mdk.src.rpm

 Corporate 3.0:
 8bfc40ebf399d5742075eeb33c1a8a72  corporate/3.0/RPMS/libphp_common432-4.3.4-4.18.C30mdk.i586.rpm
 ea00cd47c8a866b07c6081a8e1a3475b  corporate/3.0/RPMS/php432-devel-4.3.4-4.18.C30mdk.i586.rpm
 cfc50d1bc5aaf96760938648d8f30715  corporate/3.0/RPMS/php-cgi-4.3.4-4.18.C30mdk.i586.rpm
 66b65fce45465361ead9272a8fc6146d  corporate/3.0/RPMS/php-cli-4.3.4-4.18.C30mdk.i586.rpm
 219f2fa835442a1b4f3fab1cf9433de7  corporate/3.0/RPMS/php-gd-4.3.4-1.3.C30mdk.i586.rpm
 6d3b9ba8bc1dcb77f00308e54dc2ab64  corporate/3.0/RPMS/php-imap-4.3.4-1.3.C30mdk.i586.rpm
 6ec95f80b1f1cf3644847b1c83c33a16  corporate/3.0/SRPMS/php-4.3.4-4.18.C30mdk.src.rpm
 37bada32aaafa6e85e936543a2a28b9b  corporate/3.0/SRPMS/php-gd-4.3.4-1.3.C30mdk.src.rpm
 d5b7b08aa1cff8aba9d3e6c011529d33  corporate/3.0/SRPMS/php-imap-4.3.4-1.3.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 e46dc14256b5ad29c193c9701aed8e71  x86_64/corporate/3.0/RPMS/lib64php_common432-4.3.4-4.18.C30mdk.x86_64.rpm
 03b90618d19cfe790148a9f2f57985ba  x86_64/corporate/3.0/RPMS/php432-devel-4.3.4-4.18.C30mdk.x86_64.rpm
 f9fc560f573ab7911abe22db70decdca  x86_64/corporate/3.0/RPMS/php-cgi-4.3.4-4.18.C30mdk.x86_64.rpm
 eb9b7e8f2cc0eea84d0fe599bd93c902  x86_64/corporate/3.0/RPMS/php-cli-4.3.4-4.18.C30mdk.x86_64.rpm
 338e3f7c9c0a022a0512e7ef8252d37c  x86_64/corporate/3.0/RPMS/php-gd-4.3.4-1.3.C30mdk.x86_64.rpm
 e054fe6114520c57b5e9f991a362e313  x86_64/corporate/3.0/RPMS/php-imap-4.3.4-1.3.C30mdk.x86_64.rpm
 6ec95f80b1f1cf3644847b1c83c33a16  x86_64/corporate/3.0/SRPMS/php-4.3.4-4.18.C30mdk.src.rpm
 37bada32aaafa6e85e936543a2a28b9b  x86_64/corporate/3.0/SRPMS/php-gd-4.3.4-1.3.C30mdk.src.rpm
 d5b7b08aa1cff8aba9d3e6c011529d33  x86_64/corporate/3.0/SRPMS/php-imap-4.3.4-1.3.C30mdk.src.rpm

 Multi Network Firewall 2.0:
 be0aa10810884606a6378a340b170438  mnf/2.0/RPMS/libphp_common432-4.3.4-4.18.M20mdk.i586.rpm
 ef8fac6784866d24b16fb9bbf15069a9  mnf/2.0/RPMS/php432-devel-4.3.4-4.18.M20mdk.i586.rpm
 8132b0cdc8bfb94d7e3d4e0712eae5cc  mnf/2.0/RPMS/php-cgi-4.3.4-4.18.M20mdk.i586.rpm
 5783b1dc5c2f5ac6d3392d284ca5e42e  mnf/2.0/RPMS/php-cli-4.3.4-4.18.M20mdk.i586.rpm
 d88b4c66f31f707bb46098658497876f  mnf/2.0/RPMS/php-gd-4.3.4-1.3.M20mdk.i586.rpm
 0b563d4b740e9d5d21d1eb6464fc573b  mnf/2.0/SRPMS/php-4.3.4-4.18.M20mdk.src.rpm
 05b34d21c7d168fcbb4404dbe08f45ac  mnf/2.0/SRPMS/php-gd-4.3.4-1.3.M20mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEtlHDmqjQ0CJFipgRAidhAJ0RpMAGr1DLvuROJYgY3bQNtXIxwgCffAhR
MnkXxS1sgstZuFI4yDF/f1Y=
=G9sa
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
  • [ MDKSA-2006:122 ] - Updated php packages fix multiple vulnerabilities security (Jul 13)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]