Your submission was sent successfully! Close

Thank you for contacting us. A member of our team will be in touch shortly. Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

USN-455-1: PHP vulnerabilities

27 April 2007

PHP vulnerabilities

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Learn more about Ubuntu Pro

Releases

Details

Stefan Esser discovered multiple vulnerabilities in the "Month of PHP
bugs".

The substr_compare() function did not sufficiently verify its length
argument. This might be exploited to read otherwise unaccessible
memory, which might lead to information disclosure. (CVE-2007-1375)

The shared memory (shmop) functions did not verify resource types,
thus they could be called with a wrong resource type that might
contain user supplied data. This could be exploited to read and write
arbitrary memory addresses of the PHP interpreter. This issue does
not affect Ubuntu 7.04. (CVE-2007-1376)

The php_binary handler of the session extension was missing a boundary
check. When unserializing overly long variable names this could be
exploited to read up to 126 bytes of memory, which might lead to
information disclosure. (CVE-2007-1380)

The internal array_user_key_compare() function, as used for example by
the PHP function uksort(), incorrectly handled memory unreferencing of
its arguments. This could have been exploited to execute arbitrary
code with the privileges of the PHP interpreter, and thus
circumventing any disable_functions, open_basedir, or safe_mode
restrictions. (CVE-2007-1484)

The session_regenerate_id() function did not properly clean up the
former session identifier variable. This could be exploited to crash
the PHP interpreter, possibly also remotely. (CVE-2007-1521)

Under certain conditions the mb_parse_str() could cause the
register_globals configuration option to become permanently enabled.
This opened an attack vector for a large and common class of
vulnerabilities. (CVE-2007-1583)

The session extension did not set the correct reference count value
for the session variables. By unsetting _SESSION and HTTP_SESSION_VARS
(or tricking a PHP script into doing that) this could be exploited to
execute arbitrary code with the privileges of the PHP interpreter. This
issue does not affect Ubuntu 7.04. (CVE-2007-1700)

The mail() function did not correctly escape control characters in
multiline email headers. This could be remotely exploited to inject
arbitrary email headers. (CVE-2007-1718)

The php_stream_filter_create() function had an off-by-one buffer
overflow in the handling of wildcards. This could be exploited to
remotely crash the PHP interpreter. This issue does not affect Ubuntu
7.04. (CVE-2007-1824)

When calling the sqlite_udf_decode_binary() with special arguments, a
buffer overflow happened. Depending on the application this could be
locally or remotely exploited to execute arbitrary code with the
privileges of the PHP interpreter. (CVE-2007-1887 CVE-2007-1888)

The FILTER_VALIDATE_EMAIL filter extension used a wrong
regular expression that allowed injecting a newline character at the
end of the email string. This could be exploited to inject
arbitrary email headers. This issue only affects Ubuntu 7.04.
(CVE-2007-1900)

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Learn more about Ubuntu Pro

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 7.04
  • php5-cli - 5.2.1-0ubuntu1.1
  • php5-cgi - 5.2.1-0ubuntu1.1
  • libapache2-mod-php5 - 5.2.1-0ubuntu1.1
  • php5-sqlite - 5.2.1-0ubuntu1.1
Ubuntu 6.10
  • php5-cli - 5.1.6-1ubuntu2.4
  • php5-cgi - 5.1.6-1ubuntu2.4
  • libapache2-mod-php5 - 5.1.6-1ubuntu2.4
  • php5-sqlite - 5.1.6-1ubuntu2.4
Ubuntu 6.06
  • php5-cli - 5.1.2-1ubuntu3.7
  • php5-cgi - 5.1.2-1ubuntu3.7
  • libapache2-mod-php5 - 5.1.2-1ubuntu3.7
  • php5-sqlite - 5.1.2-1ubuntu3.7

In general, a standard system upgrade is sufficient to effect the
necessary changes.