1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
|
Issues affecting PHP 4 and PHP 5:
41 PHP 5 sqlite_udf_decode_binary() Buffer Overflow Vulnerability
#TODO(medium) -> for PHP5, php4 uses a seperate php4-sqlite package.
[MOPB-41-php5.diff]
34 PHP mail() Header Injection Through Subject and To Parameters
#TODO(medium) -> needs to be fixed, CVE-2007-1718 (php4 & php5, header
injection possible via some MTAs when set to process the headers for
recipients), Sarge's php4 not affected
[MOPB-34-php5.diff]
30 PHP _SESSION unset() Vulnerability
#TODO(low) -> hard to trigger remotely, CVE-2007-1700. (php4 & php5, code execution)
[MOPB-30-php5.diff]
26 PHP mb_parse_str() register_globals Activation Vulnerability
#TODO(medium) -> functionally enables register_globals for any future requests, CVE-2007-1583 (php4 & php5, enables stealth register_globals for life of process)
22 PHP session_regenerate_id() Double Free Vulnerability
#TODO(medium) -> locally exploitable to gain access to process memory, hard to do remotely, CVE-2007-1521 (php4 & php5, code execution)
[MOPB-22-php5.diff]
10 PHP php_binary Session Deserialization Information Leak Vulnerability
#TODO(low) -> Can only leak 127 bytes of data, CVE-2007-1380 (php4 & php5, heap leak)
Check, to which extent this was covered by our backports of 5.2.1 patches
[MOPB-10-php5.diff]
Issues affecting PHP 4 only:
35 PHP 4 zip_entry_read() Integer Overflow Vulnerability
#TODO(medium) -> needs to be fixed, CVE-2007-1777 (php4, remote code execution)
[MOPB-35-php4.diff]
32 PHP 4.4.5/4.4.6 session_decode() Double Free Vulnerability (U)
TODO(medium) -> needs to be fixed in php/etch and php/sarge (remote code execution)
[MOPB-32-php4.diff]
04 PHP 4 unserialize() ZVAL Reference Counter Overflow
TODO (php4 only, gain execute control)
[MOPB-04-php4.diff]
Issues affecting PHP 5 only:
45 PHP ext/filter Email Validation Vulnerability
TODO(low) -> possible email header injections when coupled with other problems (php5 5.2.0, 5.2.1)
[MOPB-45-php5.diff]
44 PHP 5.2.0 Memory Manager Signed Comparision Vulnerability
#TODO(medium) -> remotely exploitable via SOAP interfaces, CVE-2007-1889 (php5 5.2.0 only)
42 PHP 5 php_stream_filter_create() Off By One Vulnerablity
#TODO(medium) -> needs to be fixed, CVE-2007-1824 (php5, remote code execution, though haven't reproduced it)
[MOPB-42-php5.diff]
23 PHP 5 Rejected Session Identifier Double Free Vulnerability
#TODO(medium) -> locally exploitable to gain access to process memory, hard to do remotely, CVE-2007-1522. (php5 5.2.0+, code execution)
19 PHP ext/filter Space Trimming Buffer Underflow Vulnerability
#TODO(medium) -> for PHP5. CVE-2007-1453 (php5 5.2.0 only, code execution on big endian)
18 PHP ext/filter HTML Tag Stripping Bypass Vulnerability
#TODO(medium) -> for PHP5. CVE-2007-1453 (php5 5.2.0 only, can avoid filters)
17 PHP ext/filter FDF Post Bypass Vulnerability
#TODO(low) -> ...or possibly "broken as designed". CVE-2007-1452, (php5 5.2.0 only, can avoid filters)
16 PHP zip:// URL Wrapper Buffer Overflow Vulnerability
#TODO(medium) -> possible remote data can result in code execution in 5.2.0 which uses the zip handler, CVE-2007-1399. (php5 5.2.0 only, code execution)
14 PHP substr_compare() Information Leak Vulnerability
#TODO(low) -> corner-case where length+offset > INT_MAX, CVE-2007-1375 (php5, heap leak)
[MOPB-14-php5.diff]
Done or resolved:
43 PHP msg_receive() Memory Allocation Integer Overflow Vulnerabilty
#N/A -> Only triggerable by malicious script, CVE-2007-1890 (php4 & php5, local code execution, possibly FreeBSD only)
40 PHP imap_mail_compose() Boundary Stack Buffer Overflow Vulnerability
#Fixed in DSA-1264 and the respective PHP4/PHP5 packages, dupe CVE-2007-0906/CVE-2007-1825
39 PHP str_replace() Memory Allocation Integer Overflow Vulnerability
#Fixed in DSA-1264 and the respective PHP4/PHP5 packages, dupe CVE-2007-0906/CVE-2007-1885
38 PHP printf() Family 64 Bit Casting Vulnerabilities
#Fixed in DSA-1264 and the respective PHP4/PHP5 packages, dupe CVE-2007-0909/CVE-2007-1884
37 PHP iptcembed() Interruption Information Leak Vulnerability
#N/A -> Only triggerable by malicious script, CVE-2007-1883 (php4 & php5, local code execution)
36 PHP session.save_path open_basedir Bypass Vulnerability
#N/A -> open_basedir bypasses not supported, CVE-2007-1461
33 PHP mail() Message ASCIIZ Byte Truncation
#N/A -> This is a bug, but not security-relevant, CVE-2007-1717 (php4 & php5)
31 PHP _SESSION Deserialization Overwrite Vulnerability
#N/A -> register_globals not supported, already fixed in DSA-1264, dupe CVE-2007-0910/CVE-2007-1701 (php4 & php5, very hard to trigger remotely, code execution)
29 PHP 5.2.1 unserialize() Information Leak Vulnerability
#N/A -> Only affects PHP 5.2.1, CVE-2007-1649 (heap leak via broken "S" unserializer, which should maybe be removed from 5.2.1, since it is only for future compatibility and is totally broken?)
[MOPB-29-php5.diff]
28 PHP hash_update_file() Already Freed Resource Access Vulnerability
#N/A -> Only triggerable by malicious script, CVE-2007-1581 (php5, local malicious stream handler leads to code execution)
27 PHP ext/gd Already Freed Resource Access Vulnerability
#N/A -> Only triggerable by malicious script, CVE-2007-1582 (php4 & php5, local malicious error handler leads to code execution)
25 PHP header() Space Trimming Buffer Underflow Vulnerability
#Fixed in Etch as part of the 5.2.1 backport, dupe CVE-2007-0907/CVE-2007-1584
24 PHP array_user_key_compare() Double DTOR Vulnerability
#N/A -> Only triggerable by malicious script, CVE-2007-1484 (php4 & php5, code execution)
[MOPB-24-php5.diff]
21 PHP compress.bzip2:// URL Wrapper safemode and open_basedir Bypass Vulnerability
#N/A -> Safemode and open_basedir bypasses not supported, CVE-2007-1461
20 PHP zip:// URL Wrapper safemode and open_basedir Bypass Vulnerability
#N/A -> Safemode and open_basedir bypasses not supported, CVE-2007-1460
15 PHP shmop Functions Resource Verification Vulnerability
#N/A -> Only triggerable by malicious script, could be used to read/write arbitrary memory, CVE-2007-1376 (php4 & php5, arbitrary memory leakage)
[MOPB-15-php5.diff]
13 PHP 4 Ovrimos Extension Multiple Vulnerabilities
#N/A -> Ovrimos support not provided in any debian php packages, CVE-2007-1379, CVE-2007-1378
12 mod_security POST Rules Bypass Vulnerability
#N/A -> applies to modsecurity, not packaged for sarge/etch/(sid?), CVE-2007-1359.
11 PHP WDDX Session Deserialization Information Leak Vulnerability
#Fixed in DSA-1264. CVE-2007-0908 (php4 & php5, controllable stack leak)
09 PHP wddx_deserialize() String Append Buffer Overflow Vulnerability
#N/A -> Only applies to a development version in CVS, not a shipped release, CVE-2007-1381.
08 PHP 4 phpinfo() XSS Vulnerability (Deja-vu)
N/A -> phpinfo() is a debug function, not be exposed to applications (php4 4.4.3 through 4.4.6 only, phpinfo XSS)
07 Zend Platform ini_modifier Local Root Vulnerability (B)
N/A -> Only affects the Zend platform
06 Zend Platform Insecure File Permission Local Root Vulnerability
N/A -> Only affects the Zend platform
05 PHP unserialize() 64 bit Array Creation Denial of Service Vulnerability
#Fixed in DSA-1264. CVE-2007-0988 (php4 & php5, limited-time 100% CPU DoS)
03 PHP Variable Destructor Deep Recursion Stack Overflow
#N/A -> Applications need to impose sanity checks for maximum recursion, CVE-2007-1285 (php4 & php5, crash only)
02 PHP Executor Deep Recursion Stack Overflow
#N/A -> Applications need to impose sanity checks for maximum recursion, CVE-2006-1549 (php4 & php5, crash only)
01 PHP 4 Userland ZVAL Reference Counter Overflow Vulnerability
#N/A -> Only triggerable by malicious script, CVE-2007-1383 (php4 only, gain execute control)
(Comments starting with # indicate that information has been fed to the tracker)
(Comments starting with TOFIX indicate that a patch has been created or extracted)
# php4 checklist
Sarge Etch
41 a a <- seperate source package php4-sqlite
35 T T
34 / t
32 T T
30 / /
26 a a
22 t t
10 T T <- seemed already fixed but this completes the patch
04 T T
? = more info
x = fix needed
* = extracted
a = patch generated and commited to SVN
t = didn't seem affected, but patch makes sense
T = code tested
/ = not affected
# PHP5 checklist....
MOPB Etch, Unstable Dapper, Edgy, Feisty, Gutsy PATCH
10 p p[3] T T T - *
14 X T T T T - *
15 i T T T - - *
16 p p - - - -
17 - - - - - -
18 X T - - - -
19 X T - - - -
22 X T T T T - *
23 X T[5] X X X - ?
24 i i T T T X *
26 X T T T T - *
29 - - - - T - *
30 - a[4] T T - - *
34 X a T T T - *
41 X T T T T - ![1]
42 X a T T - - *
44 X a - - - -
45 X T - - T - ![2]
* = patch extracted from upstream
? = no upstream patch found
! = patch created
X = fixed desired
a = patch applied
p = previously fixed
T = code tested
- = fix n/a
i = fix skipped
[1] but the fix in php5 is not right, the call (not the SQLite API) needs
to be changed. For references, here is the upstream "fix":
http://cvs.php.net/viewvc.cgi/php-src/ext/sqlite/libsqlite/src/encode.c?r1=1.5.4.1&r2=1.5.4.1.2.1&pathrev=PHP_5_2
[2] this needs a CVE assigned
[3] previously fixed, but the patch adds another check we should have too.
[4] could not reproduce this problem
[5] the first hunk of the patch for mopb 22 fixes this.
|
