From 06504aa60b1b153fe17cd86b4a9ae8c3a034ccf2 Mon Sep 17 00:00:00 2001 From: Stefan Fritsch Date: Sat, 26 May 2007 11:13:36 +0000 Subject: really add php5 adv git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@5937 e39458fd-73e7-0310-bf30-c45bca0a0e42 --- data/DTSA/advs/41-php5.adv | 97 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 97 insertions(+) create mode 100644 data/DTSA/advs/41-php5.adv (limited to 'data/DTSA') diff --git a/data/DTSA/advs/41-php5.adv b/data/DTSA/advs/41-php5.adv new file mode 100644 index 0000000000..8d07431f49 --- /dev/null +++ b/data/DTSA/advs/41-php5.adv @@ -0,0 +1,97 @@ +source: php5 +date: May 26th, 2007 +author: Stefan Fritsch +vuln-type: several vulnerabilities +problem-scope: remote +debian-specifc: no +cve: CVE-2007-1286 CVE-2007-1375 CVE-2007-1376 CVE-2007-1380 CVE-2007-1453 CVE-2007-1454 CVE-2007-1521 CVE-2007-1583 CVE-2007-1700 CVE-2007-1718 CVE-2007-1777 CVE-2007-1824 CVE-2007-1887 CVE-2007-1889 CVE-2007-1900 CVE-2007-2509 CVE-2007-2510 CVE-2007-2511 +vendor-advisory: +testing-fix: 5.2.0-10+lenny1 +sid-fix: 5.2.2-1 +upgrade: apt-get upgrade + +Several remote vulnerabilities have been discovered in PHP, a +server-side, HTML-embedded scripting language, which may lead to the +execution of arbitrary code. The Common Vulnerabilities and Exposures +project identifies the following problems: + +CVE-2007-1286 + Stefan Esser discovered an overflow in the object reference handling + code of the unserialize() function, which allows the execution of + arbitrary code if malformed input is passed from an application. + +CVE-2007-1375 + Stefan Esser discovered that an integer overflow in the substr_compare() + function allows information disclosure of heap memory. + +CVE-2007-1376 + Stefan Esser discovered that insufficient validation of shared memory + functions allows the disclosure of heap memory. + +CVE-2007-1380 + Stefan Esser discovered that the session handler performs + insufficient validation of variable name length values, which allows + information disclosure through a heap information leak. + +CVE-2007-1453 + Stefan Esser discovered that the filtering framework performs insufficient + input validation, which allows the execution of arbitrary code through a + buffer underflow. + +CVE-2007-1454 + Stefan Esser discovered that the filtering framework can be bypassed + with a special whitespace character. + +CVE-2007-1521 + Stefan Esser discovered a double free vulnerability in the + session_regenerate_id() function, which allows the execution of + arbitrary code. + +CVE-2007-1583 + Stefan Esser discovered that a programming error in the mb_parse_str() + function allows the activation of "register_globals". + +CVE-2007-1700 + Stefan Esser discovered that the session extension incorrectly maintains + the reference count of session variables, which allows the execution of + arbitrary code. + +CVE-2007-1718 + Stefan Esser discovered that the mail() function performs + insufficient validation of folded mail headers, which allows mail + header injection. + +CVE-2007-1777 + Stefan Esser discovered that the extension to handle ZIP archives + performs insufficient length checks, which allows the execution of + arbitrary code. + +CVE-2007-1824 + Stefan Esser discovered an off-by-one in the filtering framework, which + allows the execution of arbitrary code. + +CVE-2007-1887 + Stefan Esser discovered that a buffer overflow in the sqlite extension + allows the execution of arbitrary code. + +CVE-2007-1889 + Stefan Esser discovered that the PHP memory manager performs an + incorrect type cast, which allows the execution of arbitrary code + through buffer overflows. + +CVE-2007-1900 + Stefan Esser discovered that incorrect validation in the email filter + extension allowed the injection of mail headers. + +CVE-2007-2509 + It was discovered that missing input sanitising inside the ftp + extension permits an attacker to execute arbitrary FTP commands. + This requires the attacker to already have access to the FTP + server. + +CVE-2007-2510 + It was discovered that a buffer overflow in the SOAP extension permits + the execution of arbitrary code. + +CVE-2007-2511 + A buffer overflow was discovered in the user_filter_factory_create. -- cgit v1.2.3