Advisories MDKSA-2007:187: Updated PHP packages fix numerous vulnerabilities

[paul]

Numerous vulnerabilities were discovered in the PHP scripting language

that are corrected with this update.

 

An integer overflow in the substr_compare() function allows

context-dependent attackers to read sensitive memory via a large

value in the length argument. This only affects PHP5 (CVE-2007-1375).

 

A stack-based buffer overflow in the zip:// URI wrapper in PECL

ZIP 1.8.3 and earlier allowes remote attackers to execute arbitrary

code via a long zip:// URL. This only affects Corporate Server 4.0

(CVE-2007-1399).

 

A CRLF injection vulnerability in the FILTER_VALIDATE_EMAIL filter

could allow an attacker to inject arbitrary email headers via a

special email address. This only affects Mandriva Linux 2007.1

(CVE-2007-1900).

 

The mcrypt_create_iv() function calls php_rand_r() with an

uninitialized seed variable, thus always generating the same

initialization vector, which may allow an attacker to decrypt

certain data more easily because of the guessable encryption keys

(CVE-2007-2727).

 

The soap extension calls php_rand_r() with an uninitialized seec

variable, which has unknown impact and attack vectors; an issue

similar to that affecting mcrypt_create_iv(). This only affects PHP5

(CVE-2007-2728).

 

The substr_count() function allows attackers to obtain sensitive

information via unspecified vectors. This only affects PHP5

(CVE-2007-2748).

 

An infinite loop was found in the gd extension that could be used to

cause a denial of service if a script were forced to process certain

PNG images from untrusted sources (CVE-2007-2756).

 

An integer overflow flaw was found in the chunk_split() function that

ould possibly execute arbitrary code as the apache user if a remote

attacker was able to pass arbitrary data to the third argument of

chunk_split() (CVE-2007-2872).

 

A flaw in the PHP session cookie handling could allow an attacker to

create a cross-site cookie insertion attack if a victim followed an

untrusted carefully-crafted URL (CVE-2007-3799).

 

Various integer overflow flaws were discovered in the PHP gd extension

that could allow a remote attacker to execute arbitrary code as the

apache user (CVE-2007-3996).

 

A flaw in the wordwrap() frunction could result in a denial of ervice

if a remote attacker was able to pass arbitrary data to the function

(CVE-2007-3998).

 

A flaw in the money_format() function could result in an information

leak or denial of service if a remote attacker was able to pass

arbitrary data to this function; this situation would be unlikely

however (CVE-2007-4658).

 

A bug in the PHP session cookie handling could allow an attacker to

stop a victim from viewing a vulnerable website if the victim first

visited a malicious website under the control of the attacker who

was able to use that page to set a cookie for the vulnerable website

(CVE-2007-4670).

 

Updated packages have been patched to prevent these issues.

In addition, PECL ZIP version 1.8.10 is being provided for Corporate

Server 4.0.