[php-maint] Bug#370166: php4-curl: [CVE-2006-2563] PHP cURL
Safe_Mode Bypass Vulnerability
SALVETTI Djoume
djoume at taket.org
Sat Jun 3 19:28:26 UTC 2006
Package: php4-curl
Severity: normal
Tags: security patch
Good day,
CVE-2006-2563 :
| The cURL library (libcurl) in PHP 4.4.2 and 5.1.4 allows attackers to
| bypass safe mode and read files via a
| file:// request containing null characters.
More info (and an exploit) is available from :
http://www.securityfocus.com/archive/1/archive/1/435194/100/0/threaded
This have been fixed in upstream CVS
http://cvs.php.net/viewcvs.cgi/php-src/ext/curl/interface.c?r1=1.62.2.14&r2=1.62.2.15
patch is attached.
Please mention the CVE number in changelog when fixing this bug.
Regards
--
Djoume SALVETTI
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: powerpc (ppc)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.15-1-powerpc
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
-------------- next part --------------
--- curl.c.sav 2006-06-03 21:14:42.000000000 +0200
+++ curl.c 2006-06-03 21:14:51.000000000 +0200
@@ -119,6 +119,11 @@
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid url '%s'", str); \
RETURN_FALSE; \
} \
+ \
+ if (php_memnstr(str, tmp_url->path, strlen(tmp_url->path), str + len)) { \
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Url '%s' contains unencoded control characters.", str); \
+ RETURN_FALSE; \
+ } \
\
if (tmp_url->query || tmp_url->fragment || php_check_open_basedir(tmp_url->path TSRMLS_CC) || \
(PG(safe_mode) && !php_checkuid(tmp_url->path, "rb+", CHECKUID_CHECK_MODE_PARAM)) \
More information about the pkg-php-maint
mailing list