SB2012092403 - Gentoo update for PHP

Description

This security bulletin contains information about 19 secuirty vulnerabilities.

1) Input validation error (CVE-ID: CVE-2011-1398)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The sapi_header_op function in main/SAPI.c in PHP before 5.3.11 and 5.4.x before 5.4.0RC2 does not check for %0D sequences (aka carriage return characters), which allows remote attackers to bypass an HTTP response-splitting protection mechanism via a crafted URL, related to improper interaction between the PHP header function and certain browsers, as demonstrated by Internet Explorer and Google Chrome.

2) Code Injection (CVE-ID: CVE-2011-3379)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The is_a function in PHP 5.3.7 and 5.3.8 triggers a call to the __autoload function, which makes it easier for remote attackers to execute arbitrary code by providing a crafted URL and leveraging potentially unsafe behavior in certain PEAR packages and custom autoloaders.

3) Input validation error (CVE-ID: CVE-2011-4566)

The vulnerability allows remote attackers to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can read the contents of arbitrary memory locations or cause a denial of service via a crafted offset_val value in an EXIF header in a JPEG file, a different vulnerability than CVE-2011-0708.

4) Input validation error (CVE-ID: CVE-2011-4885)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

PHP before 5.3.9 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.

5) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2012-0057)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

PHP before 5.3.9 has improper libxslt security settings, which allows remote attackers to create arbitrary files via a crafted XSLT stylesheet that uses the libxslt output extension.

6) Input validation error (CVE-ID: CVE-2012-0788)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The PDORow implementation in PHP before 5.3.9 does not properly interact with the session feature, which allows remote attackers to cause a denial of service (application crash) via a crafted application that uses a PDO driver for a fetch and then calls the session_start function, as demonstrated by a crash of the Apache HTTP Server.

7) Memory leak (CVE-ID: CVE-2012-0789)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the timezone functionality in PHP before 5.3.9 allows remote attackers to cause a denial of service (memory consumption) by triggering many strtotime function calls, which are not properly handled by the php_date_parse_tzfile cache. A remote attacker can perform a denial of service attack.

8) Resource management error (CVE-ID: CVE-2012-0830)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The php_register_variable_ex function in php_variables.c in PHP 5.3.9 allows remote attackers to execute arbitrary code via a request containing a large number of variables, related to improper handling of array variables. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-4885.

9) SQL injection (CVE-ID: CVE-2012-0831)

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.

10) Input validation error (CVE-ID: CVE-2012-1172)

The vulnerability allows a remote non-authenticated attacker to manipulate or delete data.

The file-upload implementation in rfc1867.c in PHP before 5.4.0 does not properly handle invalid [ (open square bracket) characters in name values, which makes it easier for remote attackers to cause a denial of service (malformed $_FILES indexes) or conduct directory traversal attacks during multi-file uploads by leveraging a script that lacks its own filename restrictions.

11) OS command injection (CVE-ID: CVE-2012-1823)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to error when parsing QUERY_STRING parameters within PHP-CGI-based application (sapi/cgi/cgi_main.c). A remote attacker can send specially crafted HTTP request with query string without the "=" (equals sign) character, inject and execute arbitrary OS commands on vulnerable system with privileges of the web server.

Successful exploitation of the vulnerability results in denial of service or arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.

12) Cryptographic issues (CVE-ID: CVE-2012-2143)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The crypt_des (aka DES-based crypt) function in FreeBSD before 9.0-RELEASE-p2, as used in PHP, PostgreSQL, and other products, does not process the complete cleartext password if this password contains a 0x80 character, which makes it easier for context-dependent attackers to obtain access via an authentication attempt with an initial substring of the intended password, as demonstrated by a Unicode password. As per: http://git.php.net/?p=php-src.git;a=commitdiff;h=aab49e934de1fff046e659cbec46e3d053b41c34 and http://git.php.net/?p=php-src.git;a=commitdiff_plain;h=aab49e934de1fff046e659cbec46e3d053b41c34 PHP 5.3.13 and earlier are vulnerable.

13) OS command injection (CVE-ID: CVE-2012-2311)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to error when parsing QUERY_STRING parameters within PHP-CGI-based application (sapi/cgi/cgi_main.c). A remote attacker can send specially crafted HTTP request with query string, contain a %3D sequence but no = (equals sign) character, inject and execute arbitrary OS commands on vulnerable system with privileges of the web server.

Successful exploitation of the vulnerability results in denial of service or arbitrary code execution on the vulnerable system.

This vulnerability is a result of an incomplete fix for SB2012050301.

Note: the vulnerability was being actively exploited.

14) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2012-2335)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

php-wrapper.fcgi does not properly handle command-line arguments, which allows remote attackers to bypass a protection mechanism in PHP 5.3.12 and 5.4.2 and execute arbitrary code by leveraging improper interaction between the PHP sapi/cgi/cgi_main.c component and a query string beginning with a +- sequence.

15) Input validation error (CVE-ID: CVE-2012-2336)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

sapi/cgi/cgi_main.c in PHP before 5.3.13 and 5.4.x before 5.4.3, when configured as a CGI script (aka php-cgi), does not properly handle query strings that lack an = (equals sign) character, which allows remote attackers to cause a denial of service (resource consumption) by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'T' case. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1823.

16) Heap-based buffer overflow (CVE-ID: CVE-2012-2386)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in Integer overflow in the phar_parse_tarfile function in tar.c in the phar extension in PHP before 5.3.14 and 5.4.x before 5.4.4. A remote attacker can use a crafted tar file that triggers a heap-based buffer overflow. to trigger heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

17) Heap-based buffer underflow (CVE-ID: CVE-2012-2688)

The vulnerability allows a remote attacker to cause DoS conditions or execute arbitrary code on the target system.

The weakness exists due to heap-based buffer underflow in the PHP scandir() function. A remote attacker can create specially crafted files, upload them to a directory the scandir() function runs on and cause the PHP interpreter to crash or execute arbitrary code with privileges of the web server.

Successful exploitation of the vulnerability results in denial of service or arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.

18) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2012-3365)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The SQLite functionality in PHP before 5.3.15 allows remote attackers to bypass the open_basedir protection mechanism via unspecified vectors.

19) Input validation error (CVE-ID: CVE-2012-3450)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

pdo_sql_parser.re in the PDO extension in PHP before 5.3.14 and 5.4.x before 5.4.4 does not properly determine the end of the query string during parsing of prepared statements, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted parameter value.

Remediation

Install update from vendor's website.

References

• https://security.gentoo.org/
• https://security.gentoo.org/glsa/201209-03