Executive Summary

Summary
Title PHP regression
Informations
NameUSN-424-2First vendor Publication2007-03-08
VendorUbuntuLast vendor Modification2007-03-08
Severity (Vendor) N/ARevisionN/A

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score10Attack RangeNetwork
Cvss Impact Score10Attack ComplexityLow
Cvss Expoit Score10AuthentificationNone Required
Calculate full CVSS 2.0 Vectors scores

Detail

A security issue affects the following Ubuntu releases:

Ubuntu 5.10
Ubuntu 6.06 LTS
Ubuntu 6.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 5.10:
libapache2-mod-php5 5.0.5-2ubuntu1.8
php5-cgi 5.0.5-2ubuntu1.8
php5-cli 5.0.5-2ubuntu1.8
php5-common 5.0.5-2ubuntu1.8

Ubuntu 6.06 LTS:
libapache2-mod-php5 5.1.2-1ubuntu3.6
php5-cgi 5.1.2-1ubuntu3.6
php5-cli 5.1.2-1ubuntu3.6
php5-common 5.1.2-1ubuntu3.6

Ubuntu 6.10:
libapache2-mod-php5 5.1.6-1ubuntu2.3
php5-cgi 5.1.6-1ubuntu2.3
php5-cli 5.1.6-1ubuntu2.3
php5-common 5.1.6-1ubuntu2.3

After a standard system upgrade you need to restart Apache or reboot
your computer to effect the necessary changes.

Details follow:

USN-424-1 fixed vulnerabilities in PHP. However, some upstream changes
were not included, which caused errors in the stream filters. This
update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

Multiple buffer overflows have been discovered in various PHP modules.
If a PHP application processes untrusted data with functions of the
session or zip module, or various string functions, a remote attacker
could exploit this to execute arbitrary code with the privileges of
the web server. (CVE-2007-0906)

The sapi_header_op() function had a buffer underflow that could be
exploited to crash the PHP interpreter. (CVE-2007-0907)

The wddx unserialization handler did not correctly check for some
buffer boundaries and had an uninitialized variable. By unserializing
untrusted data, this could be exploited to expose memory regions that
were not meant to be accessible. Depending on the PHP application this
could lead to disclosure of potentially sensitive information.
(CVE-2007-0908)

On 64 bit systems (the amd64 and sparc platforms), various print
functions and the odbc_result_all() were susceptible to a format
string vulnerability. A remote attacker could exploit this to execute
arbitrary code with the privileges of the web server. (CVE-2007-0909)

Under certain circumstances it was possible to overwrite superglobal
variables (like the HTTP GET/POST arrays) with crafted session data.
(CVE-2007-0910)

When unserializing untrusted data on 64-bit platforms the
zend_hash_init() function could be forced to enter an infinite loop,
consuming CPU resources, for a limited length of time, until the
script timeout alarm aborts the script. (CVE-2007-0988)


Original Source

Url : http://www.ubuntu.com/usn/USN-424-2

CWE : Common Weakness Enumeration

idName
CWE-119Failure to Constrain Operations within the Bounds of a Memory Buffer
CWE-20Improper Input Validation

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:8992
 
Oval ID: oval:org.mitre.oval:def:8992
Title: Multiple buffer overflows in PHP before 5.2.1 allow attackers to cause a denial of service and possibly execute arbitrary code via unspecified vectors in the (1) session, (2) zip, (3) imap, and (4) sqlite extensions; (5) stream filters; and the (6) str_replace, (7) mail, (8) ibase_delete_user, (9) ibase_add_user, and (10) ibase_modify_user functions. NOTE: vector 6 might actually be an integer overflow (CVE-2007-1885). NOTE: as of 20070411, vector (3) might involve the imap_mail_compose function (CVE-2007-1825).
Description: Multiple buffer overflows in PHP before 5.2.1 allow attackers to cause a denial of service and possibly execute arbitrary code via unspecified vectors in the (1) session, (2) zip, (3) imap, and (4) sqlite extensions; (5) stream filters; and the (6) str_replace, (7) mail, (8) ibase_delete_user, (9) ibase_add_user, and (10) ibase_modify_user functions. NOTE: vector 6 might actually be an integer overflow (CVE-2007-1885). NOTE: as of 20070411, vector (3) might involve the imap_mail_compose function (CVE-2007-1825).
Family: unix Class: vulnerability
Reference(s): CVE-2007-0906
 Version: 5
Platform(s): Red Hat Enterprise Linux 3
CentOS Linux 3
Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Red Hat Enterprise Linux 5
CentOS Linux 5
Oracle Linux 5
 Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:11321
 
Oval ID: oval:org.mitre.oval:def:11321
Title: Buffer underflow in PHP before 5.2.1 allows attackers to cause a denial of service via unspecified vectors involving the sapi_header_op function.
Description: Buffer underflow in PHP before 5.2.1 allows attackers to cause a denial of service via unspecified vectors involving the sapi_header_op function.
Family: unix Class: vulnerability
Reference(s): CVE-2007-0907
 Version: 5
Platform(s): Red Hat Enterprise Linux 3
CentOS Linux 3
Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Red Hat Enterprise Linux 5
CentOS Linux 5
Oracle Linux 5
 Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:11185
 
Oval ID: oval:org.mitre.oval:def:11185
Title: The WDDX deserializer in the wddx extension in PHP 5 before 5.2.1 and PHP 4 before 4.4.5 does not properly initialize the key_length variable for a numerical key, which allows context-dependent attackers to read stack memory via a wddxPacket element that contains a variable with a string name before a numerical variable.
Description: The WDDX deserializer in the wddx extension in PHP 5 before 5.2.1 and PHP 4 before 4.4.5 does not properly initialize the key_length variable for a numerical key, which allows context-dependent attackers to read stack memory via a wddxPacket element that contains a variable with a string name before a numerical variable.
Family: unix Class: vulnerability
Reference(s): CVE-2007-0908
 Version: 5
Platform(s): Red Hat Enterprise Linux 3
CentOS Linux 3
Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Red Hat Enterprise Linux 5
CentOS Linux 5
Oracle Linux 5
 Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:9722
 
Oval ID: oval:org.mitre.oval:def:9722
Title: Multiple format string vulnerabilities in PHP before 5.2.1 might allow attackers to execute arbitrary code via format string specifiers to (1) all of the *print functions on 64-bit systems, and (2) the odbc_result_all function.
Description: Multiple format string vulnerabilities in PHP before 5.2.1 might allow attackers to execute arbitrary code via format string specifiers to (1) all of the *print functions on 64-bit systems, and (2) the odbc_result_all function.
Family: unix Class: vulnerability
Reference(s): CVE-2007-0909
 Version: 5
Platform(s): Red Hat Enterprise Linux 3
CentOS Linux 3
Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Red Hat Enterprise Linux 5
CentOS Linux 5
Oracle Linux 5
 Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:9514
 
Oval ID: oval:org.mitre.oval:def:9514
Title: Unspecified vulnerability in PHP before 5.2.1 allows attackers to "clobber" certain super-global variables via unspecified vectors.
Description: Unspecified vulnerability in PHP before 5.2.1 allows attackers to "clobber" certain super-global variables via unspecified vectors.
Family: unix Class: vulnerability
Reference(s): CVE-2007-0910
 Version: 5
Platform(s): Red Hat Enterprise Linux 3
CentOS Linux 3
Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Red Hat Enterprise Linux 5
CentOS Linux 5
Oracle Linux 5
 Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:11092
 
Oval ID: oval:org.mitre.oval:def:11092
Title: The zend_hash_init function in PHP 5 before 5.2.1 and PHP 4 before 4.4.5, when running on a 64-bit platform, allows context-dependent attackers to cause a denial of service (infinite loop) by unserializing certain integer expressions, which only cause 32-bit arguments to be used after the check for a negative value, as demonstrated by an "a:2147483649:{" argument.
Description: The zend_hash_init function in PHP 5 before 5.2.1 and PHP 4 before 4.4.5, when running on a 64-bit platform, allows context-dependent attackers to cause a denial of service (infinite loop) by unserializing certain integer expressions, which only cause 32-bit arguments to be used after the check for a negative value, as demonstrated by an "a:2147483649:{" argument.
Family: unix Class: vulnerability
Reference(s): CVE-2007-0988
 Version: 5
Platform(s): Red Hat Enterprise Linux 3
CentOS Linux 3
Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Red Hat Enterprise Linux 5
CentOS Linux 5
Oracle Linux 5
 Product(s):
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application89
Application1
Os2

Open Source Vulnerability Database (OSVDB)

idDescription
34715PHP ibase_modify_user() Function Unspecified Overflow
34714PHP ibase_add_user() Function Unspecified Overflow
34713PHP ibase_delete_user() Function Unspecified Overflow
34712PHP mail() Function Unspecified Overflow
34711PHP str_replace() Function Unspecified Overflow
34710PHP stream Filters Unspecified Overflow
34709PHP sqlite Extension Unspecified Overflow
34708PHP imap Extension Unspecified Overflow
34707PHP zip Extension Unspecified Overflow
34706PHP Session Extension Unspecified Overflow
32767PHP sapi_header_op Function Underflow DoS
32766PHP wddx Extension Unspecified Information Disclosure
32765PHP odbc_result_all Function Format String
32764PHP on 64-bit Multiple print Function Format String
32763PHP Super-global Variable Unspecified Clobber
32762PHP on 64-bit zend_hash_init Function Remote DoS

Alert History

If you want to see full details history, please login or register.
0
DateInformations
2013-05-11 12:25:47
  • Multiple Updates