mailing list archives
[OpenPKG-SA-2006.023] OpenPKG Security Advisory (php)
From: OpenPKG <openpkg () openpkg org>
Date: Tue, 17 Oct 2006 09:09:57 +0200
-----BEGIN PGP SIGNED MESSAGE-----
OpenPKG Security Advisory OpenPKG GmbH
Vulnerability: privilege escalation, arbitrary code execution
OpenPKG Specific: no
Affected Series: Affected Packages: Corrected Packages:
1.0-ENTERPRISE N.A. >= php-5.1.6-E1.0.0
2-STABLE-20061018 N.A. >= php-5.1.6-2.20061018
2-STABLE <= php-5.1.5-2.20060818 >= php-5.1.6-2.20061018
CURRENT <= php-5.1.6-20061013 >= php-5.1.6-20061017
According to a security advisory  from Maksymilian Arciemowicz,
a vulnerability exists in the programming language PHP  which
allows local users to bypass certain Apache HTTP server "httpd.conf"
options, such as "safe_mode" and "open_basedir", via the "ini_restore"
function, which resets the values to their "php.ini" (master value)
defaults. The Common Vulnerabilities and Exposures (CVE) project
assigned the id CVE-2006-4625  to the problem.
According to a security advisory  from the Hardened-PHP project, an
integer overflow bug exists in the programming language PHP  which
allows remote attackers to execute arbitrary code via an argument to
the "unserialize" PHP function with a large value for the number of
array elements, which triggers the overflow in the underlying Zend
Engine "ecalloc" function. The Common Vulnerabilities and Exposures
(CVE) project assigned the id CVE-2006-4812  to the problem.
According to a security advisory  from the Hardened-PHP project, a
race condition in the "symlink" function of the programming language
PHP  exists which allows local users to bypass the "open_basedir"
restriction by using a combination of "symlink", "mkdir", and "unlink"
functions to change the file path after the "open_basedir" check and
before the file is opened by the underlying system, as demonstrated
by symlinking a symlink into a subdirectory, to point to a parent
directory via ".." sequences, and then unlinking the resulting
symlink. The Common Vulnerabilities and Exposures (CVE) project
assigned the id CVE-2006-5178  to the problem.
For security reasons, this advisory was digitally signed with the
OpenPGP public key "OpenPKG <openpkg () openpkg org>" (ID 63C4CB9F) which
you can retrieve from http://www.openpkg.org/openpkg.pgp. Follow the
instructions on http://www.openpkg.org/security/signatures/ for details
on how to verify the integrity of this advisory.
-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG <openpkg () openpkg org>
-----END PGP SIGNATURE-----
- [OpenPKG-SA-2006.023] OpenPKG Security Advisory (php) OpenPKG (Oct 17)