Launchpad.net

CVE 2008-0599

The init_request_info function in sapi/cgi/cgi_main.c in PHP before 5.2.6 does not properly consider operator precedence when calculating the length of PATH_TRANSLATED, which might allow remote attackers to execute arbitrary code via a crafted URI.

Related bugs and status

CVE-2008-0599 (Candidate) is related to these bugs:

Bug #227464: Please roll out security fixes from PHP 5.2.6

		In	Importance	Status
227464	Please roll out security fixes from PHP 5.2.6	php5 (Ubuntu)	Undecided	Fix Released
227464	Please roll out security fixes from PHP 5.2.6	php5 (Debian)	Unknown	Fix Released
227464	Please roll out security fixes from PHP 5.2.6	Hardy Backports	Undecided	Invalid
227464	Please roll out security fixes from PHP 5.2.6	php5 (Ubuntu Hardy)	Undecided	Fix Released
227464	Please roll out security fixes from PHP 5.2.6	php5 (Ubuntu Dapper)	Undecided	Fix Released
227464	Please roll out security fixes from PHP 5.2.6	php5 (Ubuntu Feisty)	Undecided	Fix Released
227464	Please roll out security fixes from PHP 5.2.6	php5 (Ubuntu Gutsy)	Undecided	Fix Released

See the

CVE page on Mitre.org for more details.

References

MLIST: [oss-security] 2008050...
CONFIRM: http://www.php.net/Cha...
BID: 29009
SECTRACK: 1019958
SECUNIA: 30048
CERT-VN: VU#147027
CONFIRM: http://wiki.rpath.com/...
CONFIRM: https://issues.rpath.c...
SECUNIA: 30345
HP: HPSBUX02342
HP: SSRT080063
FEDORA: FEDORA-2008-3606
FEDORA: FEDORA-2008-3864
REDHAT: RHSA-2008:0505
SECUNIA: 30757
SECUNIA: 30828
MANDRIVA: MDVSA-2008:127
MANDRIVA: MDVSA-2008:128
UBUNTU: USN-628-1
SECUNIA: 31200
APPLE: APPLE-SA-2008-07-31
SECUNIA: 31326
SECUNIA: 30083
SECUNIA: 30616
SECUNIA: 35650
VUPEN: ADV-2008-1412
VUPEN: ADV-2008-1810
VUPEN: ADV-2008-2268
GENTOO: GLSA-200811-05
SECUNIA: 32746
CONFIRM: http://cvs.php.net/vie...
HP: HPSBUX02431
HP: SSRT090085
HP: HPSBUX02465
HP: SSRT090192
SLACKWARE: SSA:2008-128-01
XF: php-vector-unspecified...
OVAL: oval:org.mitre.oval:de...
BUGTRAQ: 20080523 rPSA-2008-017...