Discussion:
CVE request: php 5.3.1 update
(too old to reply)
Thomas Biege
2009-11-20 10:41:50 UTC
Permalink
Hello,

PHP was updated to version 5.3.1 and did also address security
issues: http://www.php.net/releases/5_3_1.php

Security Enhancements and Fixes in PHP 5.3.1:

* Added "max_file_uploads" INI directive, which can be set to limit the number of file uploads per-request to 20 by default, to prevent possible DOS via temporary file exhaustion.
* Added missing sanity checks around exif processing.
* Fixed a safe_mode bypass in tempnam().
* Fixed a open_basedir bypass in posix_mkfifo().
* Fixed bug #50063 (safe_mode_include_dir fails).
* Fixed bug #44683 (popen crashes when an invalid mode is passed).
--
Bye,
Thomas
--
Thomas Biege <thomas-***@public.gmane.org>, SUSE LINUX, Security Support & Auditing
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
--
Wer aufhoert besser werden zu wollen, hoert auf gut zu sein.
-- Marie von Ebner-Eschenbach
Joe Orton
2009-11-20 10:47:35 UTC
Permalink
Post by Thomas Biege
Hello,
PHP was updated to version 5.3.1 and did also address security
issues: http://www.php.net/releases/5_3_1.php
We assigned some CVE names for the new issues here; two correspond to
existing issues fixed earlier in 5.2.11. The CVE names have not made it
to the web site but were used in the e-mail announcement text:

- Added missing sanity checks around exif processing. (CVE-2009-3292, Ilia)
- Fixed a safe_mode bypass in tempnam() identified by Grzegorz Stachowiak.
(CVE-2009-3557, Rasmus)
- Fixed a open_basedir bypass in posix_mkfifo() identified by Grzegorz
Stachowiak. (CVE-2009-3558, Rasmus)
- Fixed bug #50063 (safe_mode_include_dir fails). (CVE-2009-3559,
Johannes, christian at elmerot dot se)
- Fixed bug #44683 (popen crashes when an invalid mode is passed).
(CVE-2009-3294, Pierre)

Regards, Joe
Tomas Hoger
2009-11-20 14:03:28 UTC
Permalink
Post by Joe Orton
Post by Thomas Biege
PHP was updated to version 5.3.1 and did also address security
issues: http://www.php.net/releases/5_3_1.php
We assigned some CVE names for the new issues here; two correspond to
existing issues fixed earlier in 5.2.11. The CVE names have not made
Link to announcement mail with CVEs:

http://news.php.net/php.announce/79
Post by Joe Orton
- Fixed bug #50063 (safe_mode_include_dir fails). (CVE-2009-3559,
Johannes, christian at elmerot dot se)
Reading the upstream bug http://bugs.php.net/bug.php?id=50063 , this is
not a security flaw, rather a safe_mode regression causing uid check to
happen where it should not resulting in over-restrictive safe_mode.
Post by Joe Orton
- Fixed a safe_mode bypass in tempnam() identified by Grzegorz
Stachowiak. (CVE-2009-3557, Rasmus)
http://securityreason.com/securityalert/6601
http://svn.php.net/viewvc?view=revision&revision=288945
Post by Joe Orton
- Fixed a open_basedir bypass in posix_mkfifo() identified by Grzegorz
Stachowiak. (CVE-2009-3558, Rasmus)
http://securityreason.com/securityalert/6600
http://svn.php.net/viewvc?view=revision&revision=288943

Looks like CVE-2009-3546 got fixed too.
--
Tomas Hoger / Red Hat Security Response Team
Eren Türkay
2009-11-20 17:46:14 UTC
Permalink
Post by Thomas Biege
* Added "max_file_uploads" INI directive, which can be set to limit the
number of file uploads per-request to 20 by default, to prevent possible
DOS via temporary file exhaustion.
Bogdan Calin disclosed the details about that vulnerability on full-disclosure
mailing list. He didn't disclosed his script but I wrote a PoC that works like
a charm. It makes DoS possible for any server that runs PHP within 1 minute
with a few requests.

Additionally, this vulnerability affects 5.2.11. I guess all products before
PHP 5.3.1 are vulnerable.

I think this deserves CVE Id. Any ideas?
Jan Lieskovsky
2009-11-23 12:18:14 UTC
Permalink
Post by Eren Türkay
Post by Thomas Biege
* Added "max_file_uploads" INI directive, which can be set to limit the
number of file uploads per-request to 20 by default, to prevent possible
DOS via temporary file exhaustion.
Bogdan Calin disclosed the details about that vulnerability on full-disclosure
mailing list. He didn't disclosed his script but I wrote a PoC that works like
a charm. It makes DoS possible for any server that runs PHP within 1 minute
with a few requests.
Additionally, this vulnerability affects 5.2.11. I guess all products before
PHP 5.3.1 are vulnerable.
I think this deserves CVE Id. Any ideas?
Josh, could you please allocate one?

Also changed the topic to match only 'php 5.3.1 - "max_file_uploads"' thing,
so it isn't lost in other mails.

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
Josh Bressers
2009-11-23 19:51:28 UTC
Permalink
CVE-2009-4017

PHP versions before 5.3.1 contain a flow in the way multipart/form-data
handled file upload requests. A user making a specially crafted request could
cause the web server to consume resources processing the request.

http://www.php.net/releases/5_3_1.php
http://marc.info/?l=full-disclosure&m=125871907031725&w=2

Thanks.
--
JB
Post by Thomas Biege
Post by Eren Türkay
Post by Thomas Biege
* Added "max_file_uploads" INI directive, which can be set to limit
the
Post by Eren Türkay
Post by Thomas Biege
number of file uploads per-request to 20 by default, to prevent
possible
Post by Eren Türkay
Post by Thomas Biege
DOS via temporary file exhaustion.
Bogdan Calin disclosed the details about that vulnerability on
full-disclosure
Post by Eren Türkay
mailing list. He didn't disclosed his script but I wrote a PoC that
works like
Post by Eren Türkay
a charm. It makes DoS possible for any server that runs PHP within 1
minute
Post by Eren Türkay
with a few requests.
Additionally, this vulnerability affects 5.2.11. I guess all
products before
Post by Eren Türkay
PHP 5.3.1 are vulnerable.
I think this deserves CVE Id. Any ideas?
Josh, could you please allocate one?
Also changed the topic to match only 'php 5.3.1 - "max_file_uploads"' thing,
so it isn't lost in other mails.
Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
security curmudgeon
2009-11-22 05:27:54 UTC
Permalink
On Fri, 20 Nov 2009, Thomas Biege wrote:

: PHP was updated to version 5.3.1 and did also address security
: issues: http://www.php.net/releases/5_3_1.php
:
: Security Enhancements and Fixes in PHP 5.3.1:
:
: * Added "max_file_uploads" INI directive, which can be set to limit the number of file uploads per-request to 20 by default, to prevent possible DOS via temporary file exhaustion.
: * Added missing sanity checks around exif processing.

This was previously disclosed and fixed in the 5.2.x tree. I believe this
is the same as CVE-2009-3292.

: * Fixed a safe_mode bypass in tempnam().
: * Fixed a open_basedir bypass in posix_mkfifo().
: * Fixed bug #50063 (safe_mode_include_dir fails).
: * Fixed bug #44683 (popen crashes when an invalid mode is passed).

Also not flagged as 'security' up top, but from the changelog:

Fixed bug #49026 (proc_open() can bypass safe_mode_protected_env_vars
restrictions). (Ilia)

Brian
Jan Lieskovsky
2009-11-23 12:29:42 UTC
Permalink
Hi Brian,
Post by security curmudgeon
: PHP was updated to version 5.3.1 and did also address security
: issues: http://www.php.net/releases/5_3_1.php
: * Added "max_file_uploads" INI directive, which can be set to limit the number of file uploads per-request to 20 by default, to prevent possible DOS via temporary file exhaustion.
: * Added missing sanity checks around exif processing.
This was previously disclosed and fixed in the 5.2.x tree. I believe this
is the same as CVE-2009-3292.
: * Fixed a safe_mode bypass in tempnam().
: * Fixed a open_basedir bypass in posix_mkfifo().
: * Fixed bug #50063 (safe_mode_include_dir fails).
: * Fixed bug #44683 (popen crashes when an invalid mode is passed).
Fixed bug #49026 (proc_open() can bypass safe_mode_protected_env_vars
restrictions). (Ilia)
Thank you for pointing this out.

Yes, further look into particular php bugzilla returns:

"Environment variables specified for proc_open passed without check so
safe_mode_allowed_env_vars and safe_mode_protected_env_vars settings are
ignored. So it become possible to use buffer overflow exploit with
"LD_PRELOAD=evil_library.so" to bypass safe_mode restrictions and get
access to any files acessible for apache uid."

So looks another CVE id is needed here. Changed subject to:
"CVE request: php 5.3.1 - proc_open() bypass PHP Bug #49026"

Could we get another CVE id for this case?

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
Post by security curmudgeon
Brian
Josh Bressers
2009-11-23 20:49:28 UTC
Permalink
CVE-2009-4018

PHP before 5.3.1 proc_open() can be used to bypass the
safe_mode_protected_env_vars INI setting. This could be used to alter the
process environment possibly executing arbitrary code.

http://www.php.net/ChangeLog-5.php#5.3.1
http://bugs.php.net/bug.php?id=49026
http://marc.info/?l=oss-security&m=125897935330618&w=2

Thanks.
--
JB
Post by Jan Lieskovsky
Hi Brian,
Post by security curmudgeon
: PHP was updated to version 5.3.1 and did also address security
: issues: http://www.php.net/releases/5_3_1.php
: * Added "max_file_uploads" INI directive, which can be set to
limit the number of file uploads per-request to 20 by default, to
prevent possible DOS via temporary file exhaustion.
Post by security curmudgeon
: * Added missing sanity checks around exif processing.
This was previously disclosed and fixed in the 5.2.x tree. I believe
this
Post by security curmudgeon
is the same as CVE-2009-3292.
: * Fixed a safe_mode bypass in tempnam().
: * Fixed a open_basedir bypass in posix_mkfifo().
: * Fixed bug #50063 (safe_mode_include_dir fails).
: * Fixed bug #44683 (popen crashes when an invalid mode is
passed).
Post by security curmudgeon
Fixed bug #49026 (proc_open() can bypass
safe_mode_protected_env_vars
Post by security curmudgeon
restrictions). (Ilia)
Thank you for pointing this out.
"Environment variables specified for proc_open passed without check so
safe_mode_allowed_env_vars and safe_mode_protected_env_vars settings are
ignored. So it become possible to use buffer overflow exploit with
"LD_PRELOAD=evil_library.so" to bypass safe_mode restrictions and get
access to any files acessible for apache uid."
"CVE request: php 5.3.1 - proc_open() bypass PHP Bug #49026"
Could we get another CVE id for this case?
Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
Post by security curmudgeon
Brian
Continue reading on narkive:
Loading...