[Secure-testing-team] php 5.2.6 Security Fixes

Wed May 7 21:52:41 UTC 2008

Hi,

Dustin Kirkland from the Ubuntu Server Team tracked down commits that
map to these issues.

On Tue, May 06, 2008 at 10:16:25AM +0000, Moritz Naumann wrote:
>     * Fixed possible stack buffer overflow in FastCGI SAPI. (Andrei
> Nigmatulin)
>       --> CVE-2008-2050 (acc. to
> http://marc.info/?l=oss-security&m=120974347717937)
>       --> not tracked by Debian yet

http://marc.info/?l=php-cvs&m=120721829703242&w=2

>     * Properly address incomplete multibyte chars inside escapeshellcmd()
> (Ilia, Stefan Esser)
>       --> CVE-2008-2051 (acc. to
> http://marc.info/?l=oss-security&m=120974347717937)
>       --> not tracked yet

http://marc.info/?l=php-cvs&m=120579496007399&w=2

>     * Fixed security issue detailed in CVE-2008-0599. (Rasmus)
>       --> CVE-2008-0599 (acc. to http://www.php.net/ChangeLog-5.php)
>       --> already tracked at
> http://security-tracker.debian.net/tracker/CVE-2008-0599

http://marc.info/?l=php-cvs&m=120415902925033&w=2

>     * Fixed a safe_mode bypass in cURL identified by Maksymilian
> Arciemowicz. (Ilia)
>       --> CVE-2007-4850 (acc. to
> http://securityreason.com/achievement_securityalert/51)
>       --> already tracked at
> http://security-tracker.debian.net/tracker/CVE-2007-4850
>       --> missing source package reference at
> http://security-tracker.debian.net/tracker/source-package/php5

http://marc.info/?l=php-cvs&m=119963956428826&w=2

>     * Upgraded PCRE to version 7.6 (Nuno)
>       --> CVE-2008-0674 (best match, no reference found)
>       --> not tracked yet
>       --> possibly missing reference at
> http://security-tracker.debian.net/tracker/CVE-2008-0674
>           (but should really be tracked seperately)
>       --> local code execution through buffer overflow

http://marc.info/?l=php-cvs&m=120163838831816&w=2

php links against the system pcre, though, correct?  So I think this can
be ignored?  Ah, yes, Thijs confirmed this in the bug report.

On Tue, May 06, 2008 at 04:47:32PM +0200, Moritz Muehlenhoff wrote:
> > http://www.php.net/ChangeLog-5.php lists several security fixes which are
> > included in upstream PHP 5.2.6:
> 
> Thanks, there are two more, which I found and which I just commited to
> the tracker:
> 
> +CVE-2008-XXXX [php integer overflow in printf]
> +       - php5 <unfixed>
> +       NOTE: http://www.php.net/ChangeLog-5.php
> +       NOTE: Needs further details or digging in SVN

http://marc.info/?l=php-cvs&m=120579485607237&w=2

> +CVE-2008-XXXX [php suboptimal seeding]
> +       - php5 <unfixed> (low)
> +       - php4 <unfixed> (low)
> +       NOTE: http://www.sektioneins.de/advisories/SE-2008-02.txt
> +       NOTE: I don't believe we need to address this, likely no-dsa, but needs further checking

http://marc.info/?l=php-cvs&m=117601921106002&w=2
"However, the last one is from Sun Apr  8 08:04:31 2007 UTC, which seems
like ages ago.  We might already have that one?"

-- 
Kees Cook                                            @outflux.net