Secure testing team - May 2008 - php 5.2.6 Security Fixes

Package: php5
Version: 5.2.0-8+etch10
Tags: security, upstream, fixed-upstream, etch, lenny

http://www.php.net/ChangeLog-5.php lists several security fixes which are
included in upstream PHP 5.2.6:

    * Fixed possible stack buffer overflow in FastCGI SAPI. (Andrei
Nigmatulin)
      --> CVE-2008-2050 (acc. to
http://marc.info/?l=oss-security&m=120974347717937)
      --> not tracked by Debian yet
    * Properly address incomplete multibyte chars inside escapeshellcmd()
(Ilia, Stefan Esser)
      --> CVE-2008-2051 (acc. to
http://marc.info/?l=oss-security&m=120974347717937)
      --> not tracked yet
    * Fixed security issue detailed in CVE-2008-0599. (Rasmus)
      --> CVE-2008-0599 (acc. to http://www.php.net/ChangeLog-5.php)
      --> already tracked at
http://security-tracker.debian.net/tracker/CVE-2008-0599
    * Fixed a safe_mode bypass in cURL identified by Maksymilian
Arciemowicz. (Ilia)
      --> CVE-2007-4850 (acc. to
http://securityreason.com/achievement_securityalert/51)
      --> already tracked at
http://security-tracker.debian.net/tracker/CVE-2007-4850
      --> missing source package reference at
http://security-tracker.debian.net/tracker/source-package/php5
    * Upgraded PCRE to version 7.6 (Nuno)
      --> CVE-2008-0674 (best match, no reference found)
      --> not tracked yet
      --> possibly missing reference at
http://security-tracker.debian.net/tracker/CVE-2008-0674
          (but should really be tracked seperately)
      --> local code execution through buffer overflow


CC to team at security.debian.org: contains info on security issues not fixed
in Debian Stable
CC to secure-testing-team: contains info on security issues not fixed in
Debian Testing
CC to debian-security-tracker: contains info on missing cross references on
security-tracker.d~.n~

Hi Moritz,
> http://www.php.net/ChangeLog-5.php lists several security fixes which are
> included in upstream PHP 5.2.6:
Thanks, there are two more, which I found and which I just commited to
the tracker:

+CVE-2008-XXXX [php integer overflow in printf]
+       - php5 <unfixed>
+       NOTE: http://www.php.net/ChangeLog-5.php
+       NOTE: Needs further details or digging in SVN
+CVE-2008-XXXX [php suboptimal seeding]
+       - php5 <unfixed> (low)
+       - php4 <unfixed> (low)
+       NOTE: http://www.sektioneins.de/advisories/SE-2008-02.txt
+       NOTE: I don''t believe we need to address this, likely no-dsa,
but needs further checking

Cheers,
        Moritz

Hi,

Dustin Kirkland from the Ubuntu Server Team tracked down commits that
map to these issues.

On Tue, May 06, 2008 at 10:16:25AM +0000, Moritz Naumann
wrote:
>     * Fixed possible stack buffer overflow in FastCGI SAPI. (Andrei
> Nigmatulin)
>       --> CVE-2008-2050 (acc. to
> http://marc.info/?l=oss-security&m=120974347717937)
>       --> not tracked by Debian yet
http://marc.info/?l=php-cvs&m=120721829703242&w=2
>     * Properly address incomplete multibyte chars inside escapeshellcmd()
> (Ilia, Stefan Esser)
>       --> CVE-2008-2051 (acc. to
> http://marc.info/?l=oss-security&m=120974347717937)
>       --> not tracked yet
http://marc.info/?l=php-cvs&m=120579496007399&w=2
>     * Fixed security issue detailed in CVE-2008-0599. (Rasmus)
>       --> CVE-2008-0599 (acc. to http://www.php.net/ChangeLog-5.php)
>       --> already tracked at
> http://security-tracker.debian.net/tracker/CVE-2008-0599
http://marc.info/?l=php-cvs&m=120415902925033&w=2
>     * Fixed a safe_mode bypass in cURL identified by Maksymilian
> Arciemowicz. (Ilia)
>       --> CVE-2007-4850 (acc. to
> http://securityreason.com/achievement_securityalert/51)
>       --> already tracked at
> http://security-tracker.debian.net/tracker/CVE-2007-4850
>       --> missing source package reference at
> http://security-tracker.debian.net/tracker/source-package/php5
http://marc.info/?l=php-cvs&m=119963956428826&w=2
>     * Upgraded PCRE to version 7.6 (Nuno)
>       --> CVE-2008-0674 (best match, no reference found)
>       --> not tracked yet
>       --> possibly missing reference at
> http://security-tracker.debian.net/tracker/CVE-2008-0674
>           (but should really be tracked seperately)
>       --> local code execution through buffer overflow
http://marc.info/?l=php-cvs&m=120163838831816&w=2

php links against the system pcre, though, correct?  So I think this can
be ignored?  Ah, yes, Thijs confirmed this in the bug report.

On Tue, May 06, 2008 at 04:47:32PM +0200, Moritz Muehlenhoff
wrote:
> > http://www.php.net/ChangeLog-5.php lists several security fixes which
are
> > included in upstream PHP 5.2.6:
> 
> Thanks, there are two more, which I found and which I just commited to
> the tracker:
> 
> +CVE-2008-XXXX [php integer overflow in printf]
> +       - php5 <unfixed>
> +       NOTE: http://www.php.net/ChangeLog-5.php
> +       NOTE: Needs further details or digging in SVN
http://marc.info/?l=php-cvs&m=120579485607237&w=2
> +CVE-2008-XXXX [php suboptimal seeding]
> +       - php5 <unfixed> (low)
> +       - php4 <unfixed> (low)
> +       NOTE: http://www.sektioneins.de/advisories/SE-2008-02.txt
> +       NOTE: I don''t believe we need to address this, likely
no-dsa, but needs further checking
http://marc.info/?l=php-cvs&m=117601921106002&w=2
"However, the last one is from Sun Apr  8 08:04:31 2007 UTC, which seems
like ages ago.  We might already have that one?"


-- 
Kees Cook                                            @outflux.net

hi everyone,

On Wednesday 07 May 2008 11:52:41 pm Kees Cook wrote:
> Dustin Kirkland from the Ubuntu Server Team tracked down commits that
> map to these issues.
and earlier the following url''s were forwarded to me by nico:

http://www.openwall.com/lists/oss-security/2008/05/02/2
http://www.openwall.com/lists/oss-security/2008/05/02/3

which can be used as a second reference (assuming dustin didn''t also
use
those).

anyway, i''ll look at this tonight and see how much progress i can make.


	sean
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20080508/54c007ed/attachment.pgp

hi everyone (again)

sat down and spent some time looking at these:

On Wednesday 07 May 2008 11:52:41 pm Kees Cook wrote:
> On Tue, May 06, 2008 at 10:16:25AM +0000, Moritz Naumann wrote:
> >     * Fixed possible stack buffer overflow in FastCGI SAPI. (Andrei
> > Nigmatulin)
> >       --> CVE-2008-2050 (acc. to
> > http://marc.info/?l=oss-security&m=120974347717937)
> >       --> not tracked by Debian yet
>
> http://marc.info/?l=php-cvs&m=120721829703242&w=2
this patch matches the one i referenced earlier
> >     * Properly address incomplete multibyte chars inside
escapeshellcmd()
> > (Ilia, Stefan Esser)
> >       --> CVE-2008-2051 (acc. to
> > http://marc.info/?l=oss-security&m=120974347717937)
> >       --> not tracked yet
>
> http://marc.info/?l=php-cvs&m=120579496007399&w=2
likewise
	
>
> >     * Fixed security issue detailed in CVE-2008-0599. (Rasmus)
> >       --> CVE-2008-0599 (acc. to
http://www.php.net/ChangeLog-5.php)
> >       --> already tracked at
> > http://security-tracker.debian.net/tracker/CVE-2008-0599
this looks like a coding error introduced >> 5.2.0, thus no fix needed
afaict.
> http://marc.info/?l=php-cvs&m=120415902925033&w=2
>
> >     * Fixed a safe_mode bypass in cURL identified by Maksymilian
> > Arciemowicz. (Ilia)
> >       --> CVE-2007-4850 (acc. to
> > http://securityreason.com/achievement_securityalert/51)
> >       --> already tracked at
> > http://security-tracker.debian.net/tracker/CVE-2007-4850
> >       --> missing source package reference at
> > http://security-tracker.debian.net/tracker/source-package/php5
>
> http://marc.info/?l=php-cvs&m=119963956428826&w=2
as has already been stated, we don''t bother looking at safe_mode
bypasses.
> On Tue, May 06, 2008 at 04:47:32PM +0200, Moritz Muehlenhoff wrote:
> > > http://www.php.net/ChangeLog-5.php lists several security fixes
which
> > > are included in upstream PHP 5.2.6:
> >
> > Thanks, there are two more, which I found and which I just commited to
> > the tracker:
> >
> > +CVE-2008-XXXX [php integer overflow in printf]
> > +       - php5 <unfixed>
> > +       NOTE: http://www.php.net/ChangeLog-5.php
> > +       NOTE: Needs further details or digging in SVN
>
> http://marc.info/?l=php-cvs&m=120579485607237&w=2
this matches up as well.
> > +CVE-2008-XXXX [php suboptimal seeding]
> > +       - php5 <unfixed> (low)
> > +       - php4 <unfixed> (low)
> > +       NOTE: http://www.sektioneins.de/advisories/SE-2008-02.txt
> > +       NOTE: I don''t believe we need to address this, likely
no-dsa, but
> > needs further checking
>
> http://marc.info/?l=php-cvs&m=117601921106002&w=2
> "However, the last one is from Sun Apr  8 08:04:31 2007 UTC, which
seems
> like ages ago.  We might already have that one?"
the relevant code is either gone or totally refactored in mcrypt.c it seems, 
so i''ll assume that it''s fixed unless someone digs up proof to
the contrary.


anyway, the patches are all in svn now, and they cleanly apply.  i have not 
tested the build/update though, and will not have time to do this until 
sometime next week most likely.  could someone else pick it up from here?


	sean
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20080508/1a8b0ffe/attachment.pgp