SB2010120701 - Multiple vulnerabilities in PHP

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Use-after-free (CVE-ID: CVE-2010-2093)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error when processing a stream context structure that is freed before destruction occurs. A context-dependent attackers can cause a denial of service (crash).

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

2) Information disclosure (CVE-ID: CVE-2010-1914)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The Zend Engine in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 allows context-dependent attackers to obtain sensitive information by interrupting the handler for the (1) ZEND_BW_XOR opcode (shift_left_function), (2) ZEND_SL opcode (bitwise_xor_function), or (3) ZEND_SR opcode (shift_right_function), related to the convert_to_long_base function.

3) Information disclosure (CVE-ID: CVE-2010-1915)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The preg_quote function in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 allows context-dependent attackers to obtain sensitive information (memory contents) by causing a userspace interruption of an internal function, related to the call time pass by reference feature, modification of ZVALs whose values are not updated in the associated local variables, and access of previously-freed memory.

4) Input validation error (CVE-ID: CVE-2010-1129)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The safe_mode implementation in PHP before 5.2.13 does not properly handle directory pathnames that lack a trailing / (slash) character, which allows context-dependent attackers to bypass intended access restrictions via vectors related to use of the tempnam function.

Remediation

Install update from vendor's website.

References

• http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00006.html
• http://lists.opensuse.org/opensuse-security-announce/2010-10/msg00000.html
• http://php-security.org/2010/05/12/mops-2010-022-php-stream-context-use-after-free-on-request-shutdown-vulnerability/index.html
• http://www.php-security.org/2010/05/08/mops-2010-014-php-zend_bw_xor-opcode-interruption-address-information-leak-vulnerability/index.html
• http://www.php-security.org/2010/05/08/mops-2010-015-php-zend_sl-opcode-interruption-address-information-leak-vulnerability/index.html
• http://www.php-security.org/2010/05/08/mops-2010-016-php-zend_sr-opcode-interruption-address-information-leak-vulnerability/index.html
• https://exchange.xforce.ibmcloud.com/vulnerabilities/58587
• http://www.php-security.org/2010/05/09/mops-2010-017-php-preg_quote-interruption-information-leak-vulnerability/index.html
• https://exchange.xforce.ibmcloud.com/vulnerabilities/58586
• http://itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02286083
• http://lists.apple.com/archives/security-announce/2010//Aug/msg00003.html
• http://secunia.com/advisories/38708
• http://secunia.com/advisories/40551
• http://securitytracker.com/id?1023661
• http://support.apple.com/kb/HT4312
• http://www.php.net/ChangeLog-5.php
• http://www.php.net/releases/5_2_13.php
• http://www.securityfocus.com/bid/38431
• http://www.vupen.com/english/advisories/2010/0479
• http://www.vupen.com/english/advisories/2010/1796