[php-maint] Bug#341368: marked as done (CVE-2005-3883: Injection of arbitrary values into the To:-header of the md_send_mail() function)

Debian Bug Tracking System owner at bugs.debian.org
Sat Jan 7 14:18:19 UTC 2006


Your message dated Sat, 07 Jan 2006 06:02:15 -0800
with message-id <E1EvEe7-0004Ea-OW at spohr.debian.org>
and subject line Bug#341368: fixed in php5 5.1.1-1
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 30 Nov 2005 09:09:19 +0000
>From jmm at inutil.org Wed Nov 30 01:09:19 2005
Return-path: <jmm at inutil.org>
Received: from inutil.org ([193.22.164.111] helo=vserver151.vserver151.serverflex.de)
	by spohr.debian.org with esmtp (Exim 4.50)
	id 1EhNxn-0002As-Ip
	for submit at bugs.debian.org; Wed, 30 Nov 2005 01:09:19 -0800
Received: from wlan-client-044.informatik.uni-bremen.de ([134.102.116.45] helo=localhost.localdomain)
	by vserver151.vserver151.serverflex.de with esmtpsa (TLS-1.0:RSA_AES_256_CBC_SHA:32)
	(Exim 4.50)
	id 1EhNxk-000610-Nk
	for submit at bugs.debian.org; Wed, 30 Nov 2005 10:09:16 +0100
Received: from jmm by localhost.localdomain with local (Exim 4.60)
	(envelope-from <jmm at inutil.org>)
	id 1EhNxR-0001Wu-BF; Wed, 30 Nov 2005 10:08:57 +0100
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Moritz Muehlenhoff <jmm at inutil.org>
To: Debian Bug Tracking System <submit at bugs.debian.org>
Subject: CVE-2005-3883: Injection of arbitrary values into the To:-header of the
 md_send_mail() function
X-Mailer: reportbug 3.17
Date: Wed, 30 Nov 2005 10:08:57 +0100
X-Debbugs-Cc: Debian Security Team <team at security.debian.org>
Message-Id: <E1EhNxR-0001Wu-BF at localhost.localdomain>
X-SA-Exim-Connect-IP: 134.102.116.45
X-SA-Exim-Mail-From: jmm at inutil.org
X-SA-Exim-Scanned: No (on vserver151.vserver151.serverflex.de); SAEximRunCond expanded to false
Delivered-To: submit at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-11.0 required=4.0 tests=BAYES_00,HAS_PACKAGE,
	X_DEBBUGS_CC autolearn=ham version=2.60-bugs.debian.org_2005_01_02

Package: php5
Severity: important
Tags: security

Quoting from http://bugs.php.net/bug.php?id=35307:

 Description:
 ------------
 The unexpected header can be injected at the mb_send_mail function.
 The mail function is doing the check of the unexpected  control code to
 "To" and "Subject".
 However, the mb_send_mail function isn't doing a check.

 By the feature of the function overload, mail function is exchanged for
 the mb_send_mail function.
 Therefore, it thinks that the check like the mail function is necessary
 about the mb_send_mail function, too.

This has been assigned CVE-2005-3883 and it's fixed upstream in 5.1.0.

Cheers,
        Moritz

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14-2-686
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15 at euro (charmap=ISO-8859-15)

---------------------------------------
Received: (at 341368-close) by bugs.debian.org; 7 Jan 2006 14:10:52 +0000
>From katie at ftp-master.debian.org Sat Jan 07 06:10:52 2006
Return-path: <katie at ftp-master.debian.org>
Received: from katie by spohr.debian.org with local (Exim 4.50)
	id 1EvEe7-0004Ea-OW; Sat, 07 Jan 2006 06:02:15 -0800
From: Adam Conrad <adconrad at 0c3.net>
To: 341368-close at bugs.debian.org
X-Katie: $Revision: 1.65 $
Subject: Bug#341368: fixed in php5 5.1.1-1
Message-Id: <E1EvEe7-0004Ea-OW at spohr.debian.org>
Sender: Archive Administrator <katie at ftp-master.debian.org>
Date: Sat, 07 Jan 2006 06:02:15 -0800
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-CrossAssassin-Score: 7

Source: php5
Source-Version: 5.1.1-1

We believe that the bug you reported is fixed in the latest version of
php5, which is due to be installed in the Debian FTP archive:

libapache-mod-php5_5.1.1-1_i386.deb
  to pool/main/p/php5/libapache-mod-php5_5.1.1-1_i386.deb
libapache-mod-php5_5.1.1-1_powerpc.deb
  to pool/main/p/php5/libapache-mod-php5_5.1.1-1_powerpc.deb
libapache2-mod-php5_5.1.1-1_i386.deb
  to pool/main/p/php5/libapache2-mod-php5_5.1.1-1_i386.deb
libapache2-mod-php5_5.1.1-1_powerpc.deb
  to pool/main/p/php5/libapache2-mod-php5_5.1.1-1_powerpc.deb
php-pear_5.1.1-1_all.deb
  to pool/main/p/php5/php-pear_5.1.1-1_all.deb
php5-cgi_5.1.1-1_i386.deb
  to pool/main/p/php5/php5-cgi_5.1.1-1_i386.deb
php5-cgi_5.1.1-1_powerpc.deb
  to pool/main/p/php5/php5-cgi_5.1.1-1_powerpc.deb
php5-cli_5.1.1-1_i386.deb
  to pool/main/p/php5/php5-cli_5.1.1-1_i386.deb
php5-cli_5.1.1-1_powerpc.deb
  to pool/main/p/php5/php5-cli_5.1.1-1_powerpc.deb
php5-common_5.1.1-1_i386.deb
  to pool/main/p/php5/php5-common_5.1.1-1_i386.deb
php5-common_5.1.1-1_powerpc.deb
  to pool/main/p/php5/php5-common_5.1.1-1_powerpc.deb
php5-curl_5.1.1-1_i386.deb
  to pool/main/p/php5/php5-curl_5.1.1-1_i386.deb
php5-curl_5.1.1-1_powerpc.deb
  to pool/main/p/php5/php5-curl_5.1.1-1_powerpc.deb
php5-dev_5.1.1-1_i386.deb
  to pool/main/p/php5/php5-dev_5.1.1-1_i386.deb
php5-dev_5.1.1-1_powerpc.deb
  to pool/main/p/php5/php5-dev_5.1.1-1_powerpc.deb
php5-gd_5.1.1-1_i386.deb
  to pool/main/p/php5/php5-gd_5.1.1-1_i386.deb
php5-gd_5.1.1-1_powerpc.deb
  to pool/main/p/php5/php5-gd_5.1.1-1_powerpc.deb
php5-ldap_5.1.1-1_i386.deb
  to pool/main/p/php5/php5-ldap_5.1.1-1_i386.deb
php5-ldap_5.1.1-1_powerpc.deb
  to pool/main/p/php5/php5-ldap_5.1.1-1_powerpc.deb
php5-mhash_5.1.1-1_i386.deb
  to pool/main/p/php5/php5-mhash_5.1.1-1_i386.deb
php5-mhash_5.1.1-1_powerpc.deb
  to pool/main/p/php5/php5-mhash_5.1.1-1_powerpc.deb
php5-mysql_5.1.1-1_i386.deb
  to pool/main/p/php5/php5-mysql_5.1.1-1_i386.deb
php5-mysql_5.1.1-1_powerpc.deb
  to pool/main/p/php5/php5-mysql_5.1.1-1_powerpc.deb
php5-odbc_5.1.1-1_i386.deb
  to pool/main/p/php5/php5-odbc_5.1.1-1_i386.deb
php5-odbc_5.1.1-1_powerpc.deb
  to pool/main/p/php5/php5-odbc_5.1.1-1_powerpc.deb
php5-pgsql_5.1.1-1_i386.deb
  to pool/main/p/php5/php5-pgsql_5.1.1-1_i386.deb
php5-pgsql_5.1.1-1_powerpc.deb
  to pool/main/p/php5/php5-pgsql_5.1.1-1_powerpc.deb
php5-recode_5.1.1-1_i386.deb
  to pool/main/p/php5/php5-recode_5.1.1-1_i386.deb
php5-recode_5.1.1-1_powerpc.deb
  to pool/main/p/php5/php5-recode_5.1.1-1_powerpc.deb
php5-snmp_5.1.1-1_i386.deb
  to pool/main/p/php5/php5-snmp_5.1.1-1_i386.deb
php5-snmp_5.1.1-1_powerpc.deb
  to pool/main/p/php5/php5-snmp_5.1.1-1_powerpc.deb
php5-sqlite_5.1.1-1_i386.deb
  to pool/main/p/php5/php5-sqlite_5.1.1-1_i386.deb
php5-sqlite_5.1.1-1_powerpc.deb
  to pool/main/p/php5/php5-sqlite_5.1.1-1_powerpc.deb
php5-sybase_5.1.1-1_i386.deb
  to pool/main/p/php5/php5-sybase_5.1.1-1_i386.deb
php5-sybase_5.1.1-1_powerpc.deb
  to pool/main/p/php5/php5-sybase_5.1.1-1_powerpc.deb
php5-xmlrpc_5.1.1-1_i386.deb
  to pool/main/p/php5/php5-xmlrpc_5.1.1-1_i386.deb
php5-xmlrpc_5.1.1-1_powerpc.deb
  to pool/main/p/php5/php5-xmlrpc_5.1.1-1_powerpc.deb
php5-xsl_5.1.1-1_i386.deb
  to pool/main/p/php5/php5-xsl_5.1.1-1_i386.deb
php5-xsl_5.1.1-1_powerpc.deb
  to pool/main/p/php5/php5-xsl_5.1.1-1_powerpc.deb
php5_5.1.1-1.diff.gz
  to pool/main/p/php5/php5_5.1.1-1.diff.gz
php5_5.1.1-1.dsc
  to pool/main/p/php5/php5_5.1.1-1.dsc
php5_5.1.1-1_all.deb
  to pool/main/p/php5/php5_5.1.1-1_all.deb
php5_5.1.1.orig.tar.gz
  to pool/main/p/php5/php5_5.1.1.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 341368 at bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Adam Conrad <adconrad at 0c3.net> (supplier of updated php5 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster at debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 15 Dec 2005 14:46:56 +1100
Source: php5
Binary: php5-gd php5-ldap php5 php5-xmlrpc libapache2-mod-php5 php5-xsl php5-cgi php-pear php5-pgsql php5-cli php5-recode php5-mhash php5-sybase php5-curl php5-odbc php5-mysql php5-common php5-snmp php5-dev php5-sqlite libapache-mod-php5
Architecture: all i386 powerpc source 
Version: 5.1.1-1
Distribution: unstable
Urgency: low
Maintainer: Debian PHP Maintainers <pkg-php-maint at lists.alioth.debian.org>
Changed-By: Adam Conrad <adconrad at 0c3.net>
Description: 
 libapache-mod-php5 - server-side, HTML-embedded scripting language (apache 1.3 module)
 libapache2-mod-php5 - server-side, HTML-embedded scripting language (apache 2.0 module)
 php-pear   - PEAR - PHP Extension and Application Repository
 php5       - server-side, HTML-embedded scripting language (meta-package)
 php5-cgi   - server-side, HTML-embedded scripting language (CGI binary)
 php5-cli   - command-line interpreter for the php5 scripting language
 php5-common - Common files for packages built from the php5 source
 php5-curl  - CURL module for php5
 php5-dev   - Files for PHP5 module development
 php5-gd    - GD module for php5
 php5-ldap  - LDAP module for php5
 php5-mhash - MHASH module for php5
 php5-mysql - MySQL module for php5
 php5-odbc  - ODBC module for php5
 php5-pgsql - PostgreSQL module for php5
 php5-recode - recode module for php5
 php5-snmp  - SNMP module for php5
 php5-sqlite - SQLite module for php5
 php5-sybase - Sybase / MS SQL Server module for php5
 php5-xmlrpc - XML-RPC module for php5
 php5-xsl   - XSL module for php5
Closes: 333374 334969 335674 336005 336654 341368 341867 343793 344816
Changes: 
 php5 (5.1.1-1) unstable; urgency=low
 .
   * New upstream bugfix release, skipping the problematic 5.1.0 release:
     - Fixes a zend.ze1_compatibility_mode segfault (closes: #333374)
     - Remove libtool patch from acinclude.m4, now integrated upstream.
     - Remove 038-round_test_fix.patch, now integrated upstream.
     - Remove 049-exported-headers.patch, as upstream's build system has
       gotten more clever about what they should and shouldn't export.
     - Remove 054-open_basedir_slash.patch, now integrated upstream.
     - Remove 055-gd_safe_mode_checks.patch, fixed differently upstream.
     - Mangle 101-sqlite_is_shared.patch, to deal with upstream changes.
     - Remove 104-64_bit_serialize.patch, now integrated upstream.
     - Remove 105-64_bit_imagettftext.patch, now integrated upstream.
   * Many security vulnerabilities fixed (closes: #341368, #336005, #336654):
     - Resolves a local denial of service in the apache2 SAPI, which can
       be triggered by using session.save_path in .htaccess; CVE-2005-3319
     - Resolves an infinite loop in the exif_read_data function which can
       be triggered with a specially-crafted JPEG image; CVE-2005-3353
     - Resolves a vulnerability in the parse_str function whereby a remote
       attacker can fool PHP into turning on register_globals, thus making
       applications vulnerable to global variable injections; CVE-2005-3389
     - Resolves a vulnerability in the RFC1867 file upload feature where, if
       register_globals is enabled, a remote attacker can modify the GLOBALS
       array with a multipart/form-data POST request; see CVE-2005-3390
     - Resolves numerous safe_mode and open_basedir bypasses; CVE-2005-3391
     - Resolves INI settings leaks in the apache2 SAPI, leading to safe_mode
       and open_basedir bypasses between virtual hosts; CVE-2005-3392
     - Resolves a CRLF injection vulnerability in the mb_send_mail function,
       allowing injection of arbitrary mail headers; see CVE-2005-3883
     - Includes PEAR 1.4.5, resolving a vulnerability in the pear installer
       which could lead to arbitrary code execution; see CVE-2005-4154
   * Bump libdb build-dep from libdb4.2 to libdb4.3, to match with apache.
   * Bump our MySQL build-dep to 5.0's libmysqlclient15-dev (closes: #343793)
   * Automate the process of getting the list of built-in modules into the
     package descriptions, so it stays fresh in the future (closes: #341867)
   * Intentionally disable PDO support until I've sorted out the best way to
     deal with shipping this shiny new feature that won't break the world.
   * The new PEAR happens to fix the Command.php greedy match bug filed in
     Debian as part of the fix for the wider security issue (closes: #334969)
   * Create 056-mime_magic_strings.patch, making the mime_magic extension
     more liberal about what mime-types is accepts, as well as making it skip
     over ones it dislikes, rather than disabling itself (closes: #335674)
   * Add 057-no_apache_installed.patch, to stop spewing a mess of errors in
     configure because we don't have the apache binaries in the build chroot.
   * Fix small typo in the php5-xsl package description (closes: #344816)
Files: 
 007c0802df304bec75cd55094145caa3 14628 web optional php5-snmp_5.1.1-1_i386.deb
 0483e25389d47dcd4ae444d4fb35af75 41018 web optional php5-xmlrpc_5.1.1-1_powerpc.deb
 0c011f2a2621bb82d84a57b74a060e93 306312 devel optional php5-dev_5.1.1-1_i386.deb
 14bab2aead78a1b6c7bb8a9edfb9debf 24634 web optional php5-mysql_5.1.1-1_powerpc.deb
 161cb50f0831bdcbdf7387c8d88eb136 127082 web optional php5-common_5.1.1-1_i386.deb
 22ce139220a0385c3cee135e979da700 8190 web optional php5-recode_5.1.1-1_i386.deb
 27766e8bc03f6b838c4a42ded10c595c 2234184 web optional libapache-mod-php5_5.1.1-1_i386.deb
 313a9f0956a1769b6e5637644f5139ab 22536 web optional php5-ldap_5.1.1-1_powerpc.deb
 32104dc010b1493ace44902d6379343b 17124 web optional php5-xsl_5.1.1-1_powerpc.deb
 68c3e92f9c2355f5a7bf98d60ffd82fd 1778 web optional php5_5.1.1-1.dsc
 3aab19b96988c210d6beb03887592b57 26958 web optional php5-sqlite_5.1.1-1_i386.deb
 3c6e2a396e0bb4a16c27b631b39ffded 127080 web optional php5-common_5.1.1-1_powerpc.deb
 476aae2f3a0dc3f9865f3682beac6d3b 4428052 web optional php5-cgi_5.1.1-1_i386.deb
 4ac611a8ea0736cdf1ecce11fa77a8f0 30082 web optional php5-odbc_5.1.1-1_powerpc.deb
 52da82b582ccb98b2c222b1954f9dea2 15942 web optional php5-snmp_5.1.1-1_powerpc.deb
 53fd3eb780f14609986740a46318a91b 301164 web optional php-pear_5.1.1-1_all.deb
 672c4d70d1782808925ab3eed3a83016 34048 web optional php5-gd_5.1.1-1_i386.deb
 7a947e9d13a4eafca4ffdb3fa6481e33 43416 web optional php5-pgsql_5.1.1-1_powerpc.deb
 8528530df053498d9a534e5072b17e9d 10186 web optional php5-mhash_5.1.1-1_powerpc.deb
 8f466c553778ed03bc64f6024b9a2a73 96150 web optional php5_5.1.1-1.diff.gz
 9a7590435cb50c33f624892b8110ec1b 8592 web optional php5-mhash_5.1.1-1_i386.deb
 9eb3480f188cb76b2985ea3f3ba0a58b 20662 web optional php5-ldap_5.1.1-1_i386.deb
 a25787e1736805eb759cabd09f9f1074 2234910 web optional libapache2-mod-php5_5.1.1-1_i386.deb
 a4d15098c7d41c5f1a79a7c874ea0f3c 2246386 web optional php5-cli_5.1.1-1_powerpc.deb
 a742411d824b5ebf7f22dd9c543bc7be 2225006 web optional php5-cli_5.1.1-1_i386.deb
 ac5eeae318de7d41ca3aaec2ce9df8cf 26308 web optional php5-curl_5.1.1-1_powerpc.deb
 b0e4428ede81274d1d79d8f90bf59506 2287528 web optional libapache-mod-php5_5.1.1-1_powerpc.deb
 b44a4aff85148b0daa4fdc271b23ecc3 2288276 web optional libapache2-mod-php5_5.1.1-1_powerpc.deb
 b6371bbe2e6fcbafe9dc9c370bc1d3f5 29424 web optional php5-sqlite_5.1.1-1_powerpc.deb
 b650a37230de62b6972e17a6b7358fd5 4474832 web optional php5-cgi_5.1.1-1_powerpc.deb
 bc70e98d3a9cec62d58133b0c178bafe 22944 web optional php5-mysql_5.1.1-1_i386.deb
 c2f077c374b8d8aa6997f20bc6579f8a 1036 web optional php5_5.1.1-1_all.deb
 c7637047f974f9149522286f37b13025 41880 web optional php5-pgsql_5.1.1-1_i386.deb
 c8b9fdef1a2843bb195060021978e8bf 39784 web optional php5-xmlrpc_5.1.1-1_i386.deb
 d013cb90e171980a5b36a78f873390dd 23576 web optional php5-sybase_5.1.1-1_powerpc.deb
 d774433a0d07cd067af17b010d20f4c5 28268 web optional php5-odbc_5.1.1-1_i386.deb
 dc654aa00680884d9258099c05d66d45 306336 devel optional php5-dev_5.1.1-1_powerpc.deb
 e5974eab6f78a3897820ced0f9078ecd 23812 web optional php5-curl_5.1.1-1_i386.deb
 e9e14161ca46b7455111faf97a76d159 15470 web optional php5-xsl_5.1.1-1_i386.deb
 ed0295e97586c1b08b558b5b22bc5c40 9788 web optional php5-recode_5.1.1-1_powerpc.deb
 ed3d099828282e66c66cadd8d879d739 7852249 web optional php5_5.1.1.orig.tar.gz
 f45e74f70b5db728e07f9645148bb0ec 21394 web optional php5-sybase_5.1.1-1_i386.deb
 fc47cddf650aaf1b21a90837a6476183 36440 web optional php5-gd_5.1.1-1_powerpc.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDv77vvjztR8bOoMkRAmz0AJ9MyfXRpaoWZ/ehlyIpPwTAK3xb9wCglsAO
I4nvSRmmRNzSDalSE7hXz7Y=
=B0xy
-----END PGP SIGNATURE-----




More information about the pkg-php-maint mailing list