stef-guest at alioth.debian.org
2007-May-26 11:13 UTC
[Secure-testing-commits] r5937 - data/DTSA/advs
Author: stef-guest Date: 2007-05-26 11:13:36 +0000 (Sat, 26 May 2007) New Revision: 5937 Added: data/DTSA/advs/41-php5.adv Log: really add php5 adv Added: data/DTSA/advs/41-php5.adv ==================================================================--- data/DTSA/advs/41-php5.adv (rev 0) +++ data/DTSA/advs/41-php5.adv 2007-05-26 11:13:36 UTC (rev 5937) @@ -0,0 +1,97 @@ +source: php5 +date: May 26th, 2007 +author: Stefan Fritsch +vuln-type: several vulnerabilities +problem-scope: remote +debian-specifc: no +cve: CVE-2007-1286 CVE-2007-1375 CVE-2007-1376 CVE-2007-1380 CVE-2007-1453 CVE-2007-1454 CVE-2007-1521 CVE-2007-1583 CVE-2007-1700 CVE-2007-1718 CVE-2007-1777 CVE-2007-1824 CVE-2007-1887 CVE-2007-1889 CVE-2007-1900 CVE-2007-2509 CVE-2007-2510 CVE-2007-2511 +vendor-advisory: +testing-fix: 5.2.0-10+lenny1 +sid-fix: 5.2.2-1 +upgrade: apt-get upgrade + +Several remote vulnerabilities have been discovered in PHP, a +server-side, HTML-embedded scripting language, which may lead to the +execution of arbitrary code. The Common Vulnerabilities and Exposures +project identifies the following problems: + +CVE-2007-1286 + Stefan Esser discovered an overflow in the object reference handling + code of the unserialize() function, which allows the execution of + arbitrary code if malformed input is passed from an application. + +CVE-2007-1375 + Stefan Esser discovered that an integer overflow in the substr_compare() + function allows information disclosure of heap memory. + +CVE-2007-1376 + Stefan Esser discovered that insufficient validation of shared memory + functions allows the disclosure of heap memory. + +CVE-2007-1380 + Stefan Esser discovered that the session handler performs + insufficient validation of variable name length values, which allows + information disclosure through a heap information leak. + +CVE-2007-1453 + Stefan Esser discovered that the filtering framework performs insufficient + input validation, which allows the execution of arbitrary code through a + buffer underflow. + +CVE-2007-1454 + Stefan Esser discovered that the filtering framework can be bypassed + with a special whitespace character. + +CVE-2007-1521 + Stefan Esser discovered a double free vulnerability in the + session_regenerate_id() function, which allows the execution of + arbitrary code. + +CVE-2007-1583 + Stefan Esser discovered that a programming error in the mb_parse_str() + function allows the activation of "register_globals". + +CVE-2007-1700 + Stefan Esser discovered that the session extension incorrectly maintains + the reference count of session variables, which allows the execution of + arbitrary code. + +CVE-2007-1718 + Stefan Esser discovered that the mail() function performs + insufficient validation of folded mail headers, which allows mail + header injection. + +CVE-2007-1777 + Stefan Esser discovered that the extension to handle ZIP archives + performs insufficient length checks, which allows the execution of + arbitrary code. + +CVE-2007-1824 + Stefan Esser discovered an off-by-one in the filtering framework, which + allows the execution of arbitrary code. + +CVE-2007-1887 + Stefan Esser discovered that a buffer overflow in the sqlite extension + allows the execution of arbitrary code. + +CVE-2007-1889 + Stefan Esser discovered that the PHP memory manager performs an + incorrect type cast, which allows the execution of arbitrary code + through buffer overflows. + +CVE-2007-1900 + Stefan Esser discovered that incorrect validation in the email filter + extension allowed the injection of mail headers. + +CVE-2007-2509 + It was discovered that missing input sanitising inside the ftp + extension permits an attacker to execute arbitrary FTP commands. + This requires the attacker to already have access to the FTP + server. + +CVE-2007-2510 + It was discovered that a buffer overflow in the SOAP extension permits + the execution of arbitrary code. + +CVE-2007-2511 + A buffer overflow was discovered in the user_filter_factory_create.