OpenPKG Security Advisory
OpenPKG-SA-2004.053
Publisher Name: OpenPKG GmbH Publisher Home: http://openpkg.com/ Advisory Id (public): OpenPKG-SA-2004.053 Advisory Type: OpenPKG Security Advisory (SA) Advisory Directory: http://openpkg.com/go/OpenPKG-SA Advisory Document: http://openpkg.com/go/OpenPKG-SA-2004.053 Advisory Published: 2010-02-09 16:48 UTC Issue Id (internal): OpenPKG-SI-20041216.01 Issue First Created: 2004-12-16 Issue Last Modified: 2006-11-29 Issue Revision: 07
Subject Name: PHP Subject Summary: Personal HomePage (PHP) Subject Home: http://www.php.net/ Subject Versions: * <= 4.3.9 Vulnerability Id: CVE-2004-1018, CVE-2004-1019, CVE-2004-1020, CVE-2004-1063, CVE-2004-1064, CVE-2004-1065 Vulnerability Scope: global (not OpenPKG specific) Attack Feasibility: run-time Attack Vector: local system, remote network Attack Impact: arbitrary code execution Description: According to a PHP [0] vendor release announcement [1] and a security advisory [2] from Stefan Esser of the Hardened-PHP project, several very serious security issues were fixed in the 4.3.10 maintenance release. The OpenPKG project extracted and backported the fixes. Out of bounds memory write access in shmop_write() and integer overflow/underflow in pack() and unpack() functions. CVE-2004-1018 was rejected later because it was not considered to be a security issue. Possible information disclosure, double free and negative reference index array underflow in deserialization code. CVE-2004-1019 The addslashes() function does not escape \0 correctly. CVE-2004-1020 was rejected later because it was not considered to be a security issue. Directory bypass in safe_mode execution. CVE-2004-1063 was rejected later because it was not considered to be a security issue. Arbitrary file access through path truncation. CVE-2004-1064 was rejected later because it was not considered to be a security issue. Function exif_read_data() suffers from overflow on long sectionname. CVE-2004-1065 The "magic_quotes_gpc" functionality could lead to one level directory traversal with file uploads. No CVE id. References: [0] http://www.php.net/ [1] http://www.php.net/release_4_3_10.php [2] http://www.hardened-php.net/advisories/012004.txt [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1018 [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1019 [5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1020 [6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1063 [7] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1064 [8] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1065 [9] http://www.openpkg.org/tutorial.html#regular-source [10] http://www.openpkg.org/tutorial.html#regular-binary [11] ftp://ftp.openpkg.org/release/2.2/UPD/php-4.3.9-2.2.2.src.rpm [12] ftp://ftp.openpkg.org/release/2.1/UPD/php-4.3.8-2.1.4.src.rpm [13] ftp://ftp.openpkg.org/release/2.2/UPD/ [14] ftp://ftp.openpkg.org/release/2.1/UPD/ [15] http://www.openpkg.org/security.html#signature
Primary Package Name: php Primary Package Home: http://openpkg.org/go/package/php Affected Distribution: Affected Branch: Affected Package: OpenPKG Community 2.1-SOLID apache-1.3.31-2.1.6 OpenPKG Community 2.1-SOLID php-4.3.8-2.1.2 OpenPKG Community 2.2-SOLID apache-1.3.31-2.2.1 OpenPKG Community 2.2-SOLID php-4.3.9-2.2.0 OpenPKG Community CURRENT apache-1.3.33-20041215 OpenPKG Community CURRENT php-4.3.9-20041130 Corrected Distribution: Corrected Branch: Corrected Package: OpenPKG Community 2.1-SOLID apache-1.3.31-2.1.8 OpenPKG Community 2.1-SOLID php-4.3.8-2.1.4 OpenPKG Community 2.2-SOLID apache-1.3.31-2.2.3 OpenPKG Community 2.2-SOLID php-4.3.9-2.2.2 OpenPKG Community CURRENT apache-1.3.33-20041215 OpenPKG Community CURRENT php-4.3.10-20041215
