Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20091130215204.GV21038@inversepath.com>
Date: Mon, 30 Nov 2009 21:52:04 +0000
From: Andrea Barisani <lcars@...rt.org>
To: oss-security@...ts.openwall.com, ocert-announce@...ts.ocert.org,
        bugtraq@...urityfocus.com
Subject: [oCERT-2009-017] PHP multiple issues


#2009-017 PHP multiple issues

Description:

PHP, an open source scripting language, suffers from several bugs that may
pose a security risk.

The reported issues have been discovered in several API functions, issues
include buffer overflows, near null reads/writes, arbitrary memory read
and an off-by-one issue. Some of the issues have been previously reported
in older versions of PHP but they either have not been fixed or they were
re-introduced in a later time. The issues have been discovered in both
core and, in some cases, PECL functions/classes/methods.

The following methods have been fixed.

    ibase_pconnect
    ibase_connect
    com_print_typeinfo
    popen
    mssql_connect
    mssql_pconnect
    SplFileObject
    DOMImplementation->createDocumentType
    documentation()->public_id
    SDO_DAS_ChangeSummary->beginLogging
    SDO_DAS_Setting->getPropertyIndex
    SDO_SequenceImpl->getProperty

The following methods have been removed in PHP 5.3, they are still
available without fixes in 5.2.11.

    msql_close
    msql_connect
    msql_pconnect
    msql_select_db
    msql_list_tables

Affected version:

PHP < 5.3.1

Fixed version:

PHP >= 5.3.1

Credit: vulnerability report received from Emmanouel Kellinis, KPMG London.

CVE: N/A

Timeline:

2009-07-10: vulnerability report received
2009-07-15: contacted PHP security team
2009-07-15: vendor provides initial feedback, classifies the security
            impact as low
2009-08-09: oCERT asks for feedback about the timescale for eventual fixes
2009-08-24: vendor replies that most issues will not be fixed as they are
            present in deprecated extensions or are not understood
2009-08-25: reporter offers to clarify all the issues and provides test
            cases
2009-08-26: after reporter feedback vendor commits more fixes
2009-10-05: reporter asks clarification about fixed/pending bugs
2009-10-27: after further reporter feedback vendor commits more fixes
2009-11-30: advisory published

References:
http://svn.php.net/viewvc?view=revision&revision=289996
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/interbase/interbase.c?r1=272370&r284159
http://svn.php.net/viewvc?view=revision&revision=287779
http://svn.php.net/viewvc/php/php-src/trunk/TSRM/tsrm_win32.c?r1=287673&r2=287779
http://www.php.net/ChangeLog-5.php#5.3.1

Permalink:
http://www.ocert.org/advisories/ocert-2009-017.html

-- 
Andrea Barisani |                Founder & Project Coordinator
          oCERT | Open Source Computer Emergency Response Team

<lcars@...rt.org>                         http://www.ocert.org
 0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E
        "Pluralitas non est ponenda sine necessitate"

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.