Ubuntu
php4 package

Bug #11223
Comment #22

Comment 22 for bug 11223

Revision history for this message

In Debian Bug tracker #285845, Martin Schulze (joey-infodrom) wrote on 2005-01-09: Re: A backport of PHP fixes for 4.1.2

#22

Pekka Savola wrote:
> I'm not a debian user myself, but I though some might be interested at
> least.
>
> For Fedora Legacy, I've created a backport of OpenPKG's php patch,
> towards 4.1.2. It's attached.

Thanks.

> Security Fixes (OpenPKG-2004.053-php):
>
> o CAN-2004-1018:
> shmop_write() out of bounds memory write access.
> (ext/shmop/shmop.c)

Withdrawn, not considered as vulnreability since it would require
a malicious script and you can do more evil things much easier with
a malicious script.

>
> o CAN-2004-1018:
> integer overflow/underflow in pack() and unpack() functions.
> (main/php.h, ext/standard/pack.c)

Same as above.

> o CAN-2004-1019:
> possible information disclosure, double free and negative reference
> index array underflow in deserialization code.
> (ext/standard/var_unserializer.re, ext/standard/var_unserializer.c)
> **** NOT APPLICABLE IN 4.1.2!! ****

Real vulnerability, not applicable to woody.

> o CAN-2004-1020:
> addslashes() not escaping \0 correctly.
> (ext/standard/string.c)
> **** NOT NECCESSARY IN PHP 4.3.8!! ****

Withdrawn, not considered as vulnreability since it would require
a malicious script and you can do more evil things much easier with
a malicious script.

> o CAN-2004-1063:
> safe_mode execution directory bypass.
> (ext/standard/link.c, TSRM/tsrm_virtual_cwd.c)

Same as above.

> o CAN-2004-1064:
> arbitrary file access through path truncation.
> (main/safe_mode.c)

Same as above.

> o CAN-2004-1065:
> exif_read_data() overflow on long sectionname.
> (ext/exif/exif.c)
> **** NOT APPLICABLE IN 4.1.2!! ****

Real vulnerability, not applicable to woody.

> o XXX-XXXX-XXXX:
> magic_quotes_gpc could lead to one level directory traversal with
> file uploads.
> (main/rfc1867.c)
> **** PARTS OF THE PATCH NOT APPLICABLE IN 4.1.2!! ****

No real vulnerability, only precaution code.

All bugs are bugs and should be fixed in the unstable branch of PHP.

However, when they can only be exploited by a malicious PHP script,
we don't need to fix them, since a malicious PHP script requires
an authorised person to write code and he could also write system(foo)
to get shell access. PHP has thousands of such bugs.

The only real vulnerabilityes are identified as CAN-2004-1019 and
CAN-2004-1065 and interestingly these don't apply to the version
of PHP in woody.

Hence, no update to woody (=Debian stable) is required.

Regards,

Joey

--
In the beginning was the word, and the word was content-type: text/plain

Please always Cc to me when replying to me on the lists.

Pekka Savola wrote:
> I'm not a debian user myself, but I though some might be interested at 
> least.
> 
> For Fedora Legacy, I've created a backport of OpenPKG's php patch, 
> towards 4.1.2.  It's attached.

Thanks.

> Security Fixes (OpenPKG-2004.053-php):
> 
> o CAN-2004-1018:
>   shmop_write() out of bounds memory write access.
>   (ext/shmop/shmop.c)

Withdrawn, not considered as vulnreability since it would require
a malicious script and you can do more evil things much easier with
a malicious script.

> 
> o CAN-2004-1018:
>   integer overflow/underflow in pack() and unpack() functions.
>   (main/php.h, ext/standard/pack.c)

Same as above.

> o CAN-2004-1019:
>   possible information disclosure, double free and negative reference
>   index array underflow in deserialization code.
>   (ext/standard/var_unserializer.re, ext/standard/var_unserializer.c)
>   **** NOT APPLICABLE IN 4.1.2!! ****

Real vulnerability, not applicable to woody.

> o CAN-2004-1020:
>   addslashes() not escaping \0 correctly.
>   (ext/standard/string.c)
>   **** NOT NECCESSARY IN PHP 4.3.8!! ****

Withdrawn, not considered as vulnreability since it would require
a malicious script and you can do more evil things much easier with
a malicious script.

> o CAN-2004-1063:
>   safe_mode execution directory bypass.
>   (ext/standard/link.c, TSRM/tsrm_virtual_cwd.c)

Same as above.

> o CAN-2004-1064:
>   arbitrary file access through path truncation.
>   (main/safe_mode.c)

Same as above.

> o CAN-2004-1065:
>   exif_read_data() overflow on long sectionname.
>   (ext/exif/exif.c)
>   **** NOT APPLICABLE IN 4.1.2!! ****

Real vulnerability, not applicable to woody.

> o XXX-XXXX-XXXX:
>   magic_quotes_gpc could lead to one level directory traversal with
>   file uploads.
>   (main/rfc1867.c)
>   **** PARTS OF THE PATCH NOT APPLICABLE IN 4.1.2!! ****

No real vulnerability, only precaution code.

All bugs are bugs and should be fixed in the unstable branch of PHP.

The only real vulnerabilityes are identified as CAN-2004-1019 and
CAN-2004-1065 and interestingly these don't apply to the version
of PHP in woody.

Hence, no update to woody (=Debian stable) is required.

Regards,

Joey

-- 
In the beginning was the word, and the word was content-type: text/plain

Please always Cc to me when replying to me on the lists.

Ubuntuphp4 package

Comment 22 for bug 11223

Ubuntu
php4 package