We assigned some CVE names for the new issues here; two correspond to
existing issues fixed earlier in 5.2.11. The CVE names have not made it
to the web site but were used in the e-mail announcement text:

- Added missing sanity checks around exif processing. (CVE-2009-3292, Ilia)
- Fixed a safe_mode bypass in tempnam() identified by Grzegorz Stachowiak.
(CVE-2009-3557, Rasmus)
- Fixed a open_basedir bypass in posix_mkfifo() identified by Grzegorz
Stachowiak. (CVE-2009-3558, Rasmus)
- Fixed bug #50063 (safe_mode_include_dir fails). (CVE-2009-3559,
Johannes, christian at elmerot dot se)
- Fixed bug #44683 (popen crashes when an invalid mode is passed).
(CVE-2009-3294, Pierre)

Regards, Joe

Bogdan Calin disclosed the details about that vulnerability on full-disclosure
mailing list. He didn't disclosed his script but I wrote a PoC that works like
a charm. It makes DoS possible for any server that runs PHP within 1 minute
with a few requests.

Additionally, this vulnerability affects 5.2.11. I guess all products before
PHP 5.3.1 are vulnerable.

I think this deserves CVE Id. Any ideas?

On Fri, 20 Nov 2009, Thomas Biege wrote:

: PHP was updated to version 5.3.1 and did also address security
: issues: http://www.php.net/releases/5_3_1.php
:
: Security Enhancements and Fixes in PHP 5.3.1:
:
: * Added "max_file_uploads" INI directive, which can be set to limit the number of file uploads per-request to 20 by default, to prevent possible DOS via temporary file exhaustion.
: * Added missing sanity checks around exif processing.

This was previously disclosed and fixed in the 5.2.x tree. I believe this
is the same as CVE-2009-3292.

: * Fixed a safe_mode bypass in tempnam().
: * Fixed a open_basedir bypass in posix_mkfifo().
: * Fixed bug #50063 (safe_mode_include_dir fails).
: * Fixed bug #44683 (popen crashes when an invalid mode is passed).

Also not flagged as 'security' up top, but from the changelog:

Fixed bug #49026 (proc_open() can bypass safe_mode_protected_env_vars
restrictions). (Ilia)

Brian