PHP Security Bug #68978: "XSS in header() with Internet Explorer" has not been backported

Bug #1594041 reported by Lukas Reschke on 2016-06-18
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
php
Unknown
Unknown
php5 (Ubuntu)
Undecided
Unassigned
Precise
Medium
Unassigned
Trusty
Medium
Unassigned
Wily
Undecided
Unassigned
Xenial
Undecided
Unassigned
Yakkety
Undecided
Unassigned

Bug Description

The PHP Security Bug #68978 (https://bugs.php.net/bug.php?id=68978) has not been backported to Trusty. It has been included with PHP 5.5.22 in February 2015.

The patch can be found at https://github.com/php/php-src/commit/996faf964bba1aec06b153b370a7f20d3dd2bb8b and is trivial.

We'd appreciate if this patch could be backported to Trusty to prevent PHP applications from being insecure against header injections in Internet Explorer. (as really no PHP application out there is really manually performing a check for this form, especially since the PHP documentation explicitly states that only one header can be sent)

Lukas Reschke (lukas-0) on 2016-06-18
description: updated
description: updated
summary: - PHP Security Bug #68978 XSS in header() with Internet Explorer has not
- been backported
+ PHP Security Bug #68978 "XSS in header() with Internet Explorer has not
+ been backported"
summary: - PHP Security Bug #68978 "XSS in header() with Internet Explorer has not
+ PHP Security Bug #68978: "XSS in header() with Internet Explorer has not
been backported"
Lukas Reschke (lukas-0) on 2016-06-19
summary: - PHP Security Bug #68978: "XSS in header() with Internet Explorer has not
- been backported"
+ PHP Security Bug #68978: "XSS in header() with Internet Explorer" has
+ not been backported
Lukas Reschke (lukas-0) on 2016-06-20
information type: Private Security → Public Security
Lukas Reschke (lukas-0) wrote :

Marked as public security bug and brought up to OSS-Security and asked MITRE for a CVE considering CVE-2011-1398

Changed in php5 (Ubuntu Wily):
status: New → Fix Released
Changed in php5 (Ubuntu Xenial):
status: New → Fix Released
Marc Deslauriers (mdeslaur) wrote :

This was assigned CVE-2015-8935

Changed in php5 (Ubuntu Precise):
status: New → Confirmed
Changed in php5 (Ubuntu Trusty):
status: New → Confirmed
Changed in php5 (Ubuntu Yakkety):
status: New → Fix Released
Changed in php5 (Ubuntu Precise):
importance: Undecided → Medium
Changed in php5 (Ubuntu Trusty):
importance: Undecided → Medium
Launchpad Janitor (janitor) wrote :
Download full text (4.5 KiB)

This bug was fixed in the package php5 - 5.3.10-1ubuntu3.24

---------------
php5 (5.3.10-1ubuntu3.24) precise-security; urgency=medium

  * SECURITY UPDATE: segfault in SplMinHeap::compare
    - debian/patches/CVE-2015-4116.patch: properly handle count in
      ext/spl/spl_heap.c, added test to ext/spl/tests/bug69737.phpt.
    - CVE-2015-4116
  * SECURITY UPDATE: denial of service via recursive method calls
    - debian/patches/CVE-2015-8873.patch: add limit to
      Zend/zend_exceptions.c, add tests to
      ext/standard/tests/serialize/bug69152.phpt,
      ext/standard/tests/serialize/bug69793.phpt,
      sapi/cli/tests/005.phpt.
    - CVE-2015-8873
  * SECURITY UPDATE: denial of service or code execution via crafted
    serialized data
    - debian/patches/CVE-2015-8876.patch: fix logic in
      Zend/zend_exceptions.c, added test to Zend/tests/bug70121.phpt.
    - CVE-2015-8876
  * SECURITY UPDATE: XSS in header() with Internet Explorer (LP: #1594041)
    - debian/patches/CVE-2015-8935.patch: update header handling to
      RFC 7230 in main/SAPI.c, added tests to
      ext/standard/tests/general_functions/bug60227_*.phpt.
    - CVE-2015-8935
  * SECURITY UPDATE: get_icu_value_internal out-of-bounds read
    - debian/patches/CVE-2016-5093.patch: add enough space in
      ext/intl/locale/locale_methods.c, added test to
      ext/intl/tests/bug72241.phpt.
    - CVE-2016-5093
  * SECURITY UPDATE: integer overflow in php_html_entities()
    - debian/patches/CVE-2016-5094.patch: don't create strings with lengths
      outside int range in ext/standard/html.c.
    - CVE-2016-5094
  * SECURITY UPDATE: string overflows in string add operations
    - debian/patches/CVE-2016-5095.patch: check for size overflow in
      Zend/zend_operators.c.
    - CVE-2016-5095
  * SECURITY UPDATE: int/size_t confusion in fread
    - debian/patches/CVE-2016-5096.patch: check string length in
      ext/standard/file.c, added test to
      ext/standard/tests/file/bug72114.phpt.
    - CVE-2016-5096
  * SECURITY UPDATE: memory leak and buffer overflow in FPM
    - debian/patches/CVE-2016-5114.patch: check buffer length in
      sapi/fpm/fpm/fpm_log.c.
    - CVE-2016-5114
  * SECURITY UPDATE: proxy request header vulnerability (httpoxy)
    - debian/patches/CVE-2016-5385.patch: only use HTTP_PROXY from the
      local environment in ext/standard/basic_functions.c, main/SAPI.c,
      main/php_variables.c.
    - CVE-2016-5385
  * SECURITY UPDATE: inadequate error handling in bzread()
    - debian/patches/CVE-2016-5399.patch: do not allow reading past error
      read in ext/bz2/bz2.c.
    - CVE-2016-5399
  * SECURITY UPDATE: integer overflows in mcrypt
    - debian/patches/CVE-2016-5769.patch: check for overflow in
      ext/mcrypt/mcrypt.c.
    - CVE-2016-5769
  * SECURITY UPDATE: double free corruption in wddx_deserialize
    - debian/patches/CVE-2016-5772.patch: prevent double-free in
      ext/wddx/wddx.c, added test to ext/wddx/tests/bug72340.phpt.
    - CVE-2016-5772
  * SECURITY UPDATE: buffer overflow in php_url_parse_ex()
    - debian/patches/CVE-2016-6288.patch: handle length in
      ext/standard/url.c.
    - CVE-2016-6288
  * SECURITY UPDATE: integer overflow i...

Read more...

Changed in php5 (Ubuntu Precise):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (5.6 KiB)

This bug was fixed in the package php5 - 5.5.9+dfsg-1ubuntu4.19

---------------
php5 (5.5.9+dfsg-1ubuntu4.19) trusty-security; urgency=medium

  * SECURITY UPDATE: segfault in SplMinHeap::compare
    - debian/patches/CVE-2015-4116.patch: properly handle count in
      ext/spl/spl_heap.c, added test to ext/spl/tests/bug69737.phpt.
    - CVE-2015-4116
  * SECURITY UPDATE: denial of service via recursive method calls
    - debian/patches/CVE-2015-8873.patch: add limit to
      Zend/zend_exceptions.c, add tests to
      ext/standard/tests/serialize/bug69152.phpt,
      ext/standard/tests/serialize/bug69793.phpt,
      sapi/cli/tests/005.phpt.
    - CVE-2015-8873
  * SECURITY UPDATE: denial of service or code execution via crafted
    serialized data
    - debian/patches/CVE-2015-8876.patch: fix logic in
      Zend/zend_exceptions.c, added test to Zend/tests/bug70121.phpt.
    - CVE-2015-8876
  * SECURITY UPDATE: XSS in header() with Internet Explorer (LP: #1594041)
    - debian/patches/CVE-2015-8935.patch: update header handling to
      RFC 7230 in main/SAPI.c, added tests to
      ext/standard/tests/general_functions/bug60227_*.phpt.
    - CVE-2015-8935
  * SECURITY UPDATE: get_icu_value_internal out-of-bounds read
    - debian/patches/CVE-2016-5093.patch: add enough space in
      ext/intl/locale/locale_methods.c, added test to
      ext/intl/tests/bug72241.phpt.
    - CVE-2016-5093
  * SECURITY UPDATE: integer overflow in php_html_entities()
    - debian/patches/CVE-2016-5094.patch: don't create strings with lengths
      outside int range in ext/standard/html.c.
    - CVE-2016-5094
  * SECURITY UPDATE: string overflows in string add operations
    - debian/patches/CVE-2016-5095.patch: check for size overflow in
      Zend/zend_operators.c.
    - CVE-2016-5095
  * SECURITY UPDATE: int/size_t confusion in fread
    - debian/patches/CVE-2016-5096.patch: check string length in
      ext/standard/file.c, added test to
      ext/standard/tests/file/bug72114.phpt.
    - CVE-2016-5096
  * SECURITY UPDATE: memory leak and buffer overflow in FPM
    - debian/patches/CVE-2016-5114.patch: check buffer length in
      sapi/fpm/fpm/fpm_log.c.
    - CVE-2016-5114
  * SECURITY UPDATE: proxy request header vulnerability (httpoxy)
    - debian/patches/CVE-2016-5385.patch: only use HTTP_PROXY from the
      local environment in ext/standard/basic_functions.c, main/SAPI.c,
      main/php_variables.c.
    - CVE-2016-5385
  * SECURITY UPDATE: inadequate error handling in bzread()
    - debian/patches/CVE-2016-5399.patch: do not allow reading past error
      read in ext/bz2/bz2.c.
    - CVE-2016-5399
  * SECURITY UPDATE: double free in _php_mb_regex_ereg_replace_exec
    - debian/patches/CVE-2016-5768.patch: check pointer in
      ext/mbstring/php_mbregex.c, added test to
      ext/mbstring/tests/bug72402.phpt.
    - CVE-2016-5768
  * SECURITY UPDATE: integer overflows in mcrypt
    - debian/patches/CVE-2016-5769.patch: check for overflow in
      ext/mcrypt/mcrypt.c.
    - CVE-2016-5769
  * SECURITY UPDATE: ese after free GC algorithm and unserialize
    - debian/patches/CVE-2016-5771.patch: added new handler in
      ext/spl/spl_array.c, added test to Zend/tes...

Read more...

Changed in php5 (Ubuntu Trusty):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.