Advisories MDVSA-2009:324: php

paul · December 7, 2009

Multiple vulnerabilities was discovered and corrected in php:

The dba_replace function in PHP 5.2.6 and 4.x allows context-dependent

attackers to cause a denial of service (file truncation) via a key with

the NULL byte. NOTE: this might only be a vulnerability in limited

circumstances in which the attacker can modify or add database entries

but does not have permissions to truncate the file (CVE-2008-7068).

The JSON_parser function (ext/json/JSON_parser.c) in PHP 5.2.x

before 5.2.9 allows remote attackers to cause a denial of service

(segmentation fault) via a malformed string to the json_decode API

function (CVE-2009-1271).

- Fixed upstream bug #48378 (exif_read_data() segfaults on certain

corrupted .jpeg files) (CVE-2009-2687).

The php_openssl_apply_verification_policy function in PHP before

5.2.11 does not properly perform certificate validation, which has

unknown impact and attack vectors, probably related to an ability to

spoof certificates (CVE-2009-3291).

Unspecified vulnerability in PHP before 5.2.11 has unknown impact

and attack vectors related to missing sanity checks around exif

processing. (CVE-2009-3292)

Unspecified vulnerability in the imagecolortransparent function in

PHP before 5.2.11 has unknown impact and attack vectors related to

an incorrect sanity check for the color index. (CVE-2009-3293)

The _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.0, and the

GD Graphics Library 2.x, does not properly verify a certain colorsTotal

structure member, which might allow remote attackers to conduct

buffer overflow or buffer over-read attacks via a crafted GD file,

a different vulnerability than CVE-2009-3293. NOTE: some of these

details are obtained from third party information (CVE-2009-3546).

The tempnam function in ext/standard/file.c in PHP 5.2.11 and

earlier, and 5.3.x before 5.3.1, allows context-dependent attackers

to bypass safe_mode restrictions, and create files in group-writable

or world-writable directories, via the dir and prefix arguments

(CVE-2009-3557).

The posix_mkfifo function in ext/posix/posix.c in PHP 5.2.11 and

earlier, and 5.3.x before 5.3.1, allows context-dependent attackers

to bypass open_basedir restrictions, and create FIFO files, via the

pathname and mode arguments, as demonstrated by creating a .htaccess

file (CVE-2009-3558).

PHP 5.2.11, and 5.3.x before 5.3.1, does not restrict the number

of temporary files created when handling a multipart/form-data POST

request, which allows remote attackers to cause a denial of service

(resource exhaustion), and makes it easier for remote attackers to

exploit local file inclusion vulnerabilities, via multiple requests,

related to lack of support for the max_file_uploads directive

(CVE-2009-4017).

The proc_open function in ext/standard/proc_open.c in PHP

before 5.2.11 and 5.3.x before 5.3.1 does not enforce the (1)

safe_mode_allowed_env_vars and (2) safe_mode_protected_env_vars

directives, which allows context-dependent attackers to execute

programs with an arbitrary environment via the env parameter, as

demonstrated by a crafted value of the LD_LIBRARY_PATH environment

variable (CVE-2009-4018).