[php-maint] Bug#370165: php5-curl: [CVE-2006-2563] PHP cURL Safe_Mode Bypass Vulnerability

SALVETTI Djoume djoume at taket.org
Sat Jun 3 19:26:32 UTC 2006 

Package: php5-curl
Severity: normal
Tags: security patch


Good day,

CVE-2006-2563 : 

| The cURL library (libcurl) in PHP 4.4.2 and 5.1.4 allows attackers to
| bypass safe mode and read files via a
| file:// request containing null characters.


More info (and an exploit) is available from : 
http://www.securityfocus.com/archive/1/archive/1/435194/100/0/threaded

This have been fixed in upstream CVS

http://cvs.php.net/viewcvs.cgi/php-src/ext/curl/interface.c?r1=1.62.2.14&r2=1.62.2.15

patch is attached.

Please mention the CVE number in changelog when fixing this bug.

Regards
-- 
Djoume SALVETTI

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: powerpc (ppc)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.15-1-powerpc
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
-------------- next part --------------
--- interface.c	2006/04/13 11:26:10	1.62.2.14
+++ interface.c	2006/05/21 16:33:39	1.62.2.15
@@ -16,7 +16,7 @@
    +----------------------------------------------------------------------+
 */
 
-/* $Id: interface.c,v 1.62.2.14 2006/04/13 11:26:10 tony2001 Exp $ */
+/* $Id: interface.c,v 1.62.2.15 2006/05/21 16:33:39 iliaa Exp $ */
 
 #define ZEND_INCLUDE_FULL_WINDOWS_HEADERS
 
@@ -161,11 +161,16 @@
 	    strncasecmp(str, "file:", sizeof("file:") - 1) == 0)								\
 	{ 																							\
 		php_url *tmp_url; 																		\
-																								\
+															\
 		if (!(tmp_url = php_url_parse_ex(str, len))) {											\
 			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid url '%s'", str);				\
 			RETURN_FALSE; 																		\
 		} 																						\
+															\
+		if (php_memnstr(str, tmp_url->path, strlen(tmp_url->path), str + len)) {				\
+			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Url '%s' contains unencoded control characters.", str);	\
+			RETURN_FALSE;											\
+		}													\
 																								\
 		if (tmp_url->query || tmp_url->fragment || php_check_open_basedir(tmp_url->path TSRMLS_CC) || 									\
 			(PG(safe_mode) && !php_checkuid(tmp_url->path, "rb+", CHECKUID_CHECK_MODE_PARAM))	\

More information about the pkg-php-maint mailing list