CVE-2008-3658,2008-3659,2008-3660

Bug #286851 reported by SwissSign Operations Team on 2008-10-21
264
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Debian
Fix Released
Unknown
php5 (Ubuntu)
Undecided
Unassigned
Hardy
Undecided
Unassigned

Bug Description

Binary package hint: php5

DSA-1647-1 has three fixes for the above CVE's (Debian Bugs 499987, 499988, 499989):

CVE-2008-3658

     Buffer overflow in the imageloadfont function allows a denial
     of service or code execution through a crafted font file.

CVE-2008-3659

     Buffer overflow in the memnstr function allows a denial of
     service or code execution via a crafted delimiter parameter
     to the explode function.

CVE-2008-3660

     Denial of service is possible in the FastCGI module by a
     remote attacker by making a request with multiple dots
     before the extension.

Will this be backportet into dapper? It's still under LTS, isn't it?

krgds /markus

Thilo Uttendorfer (t-lo) wrote :

These CVEs aren't fixed for hardy (and probably gutsy), too. Is there an update planned or are the ubuntu packages not affected?

Thilo Uttendorfer (t-lo) wrote :

I'm still not sure if the packages are affected at all, nevertheless I managed to use the patches from Debian: php5 (5.2.0-8+etch13). You need the following patches from debian/patches/
139-CVE-2008-3659.patch
140-CVE-2008-3658.patch
141-CVE-2008-3660.patch

Then you need to update debian/patches/series and change some small things in 141-CVE-2008-3660.patch (I can post that, if somebody is interested).

Mark Lee (malept) wrote :

For what it's worth, I used the patches from the Debian Lenny php5 package without modification to backport to Hardy. The resulting package is available in my PPA: <https://launchpad.net/~malept/+archive>. The package also contains the patch for CVE-2008-5557, and an updated PEAR installation.

Mark Lee (malept) wrote :

I didn't mean to add that CVE to this bug. I'll file it in a separate bug.

Changed in php5:
status: New → Confirmed
status: New → Confirmed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package php5 - 5.2.6-2ubuntu4.1

---------------
php5 (5.2.6-2ubuntu4.1) intrepid-security; urgency=low

  * SECURITY UPDATE: denial of service and possible arbitrary code execution
    via crafted font file. (LP: #286851)
    - debian/patches/120-SECURITY-CVE-2008-3658.patch: make sure font->nchars,
      font->h, and font->w don't cause overflows in ext/gd/gd.c. Also, add
      test script ext/gd/tests/imageloadfont_invalid.phpt.
    - CVE-2008-3658
  * SECURITY UPDATE: denial of service and possible arbitrary code execution
    via the delimiter argument to the explode function. (LP: #286851)
    - debian/patches/121-SECURITY-CVE-2008-3659.patch: make sure needle_length
      is sane in ext/standard/tests/strings/explode_bug.phpt. Also, add test
      script ext/standard/tests/strings/explode_bug.phpt.
    - CVE-2008-3659
  * SECURITY UPDATE: denial of service via a request with multiple dots
    preceding the extension. (ex: foo..php) (LP: #286851)
    - debian/patches/122-SECURITY-CVE-2008-3660.patch: improve .. cleaning with
      a new is_valid_path() function in sapi/cgi/cgi_main.c.
    - CVE-2008-3660
  * SECURITY UPDATE: mbstring extension arbitrary code execution via crafted
    string containing HTML entity. (LP: #317672)
    - debian/patches/123-SECURITY-CVE-2008-5557.patch: improve
      mbfl_filt_conv_html_dec_flush() error handling in
      ext/mbstring/libmbfl/filters/mbfilter_htmlent.c.
    - CVE-2008-5557
  * SECURITY UPDATE: safe_mode restriction bypass via unrestricted variable
    settings.
    - debian/patches/124-SECURITY-CVE-2008-5624.patch: make sure the page_uid
      and page_gid get initialized properly in ext/standard/basic_functions.c.
      Also, init server_context before processing config variables in
      sapi/apache/mod_php5.c.
    - CVE-2008-5624
  * SECURITY UPDATE: arbitrary file write by placing a "php_value error_log"
    entry in a .htaccess file.
    - debian/patches/125-SECURITY-CVE-2008-5625.patch: enforce restrictions
      when merging in dir entry in sapi/apache/mod_php5.c and
      sapi/apache2handler/apache_config.c.
    - CVE-2008-5625
  * SECURITY UPDATE: arbitrary file overwrite from directory traversal via zip
    file with dot-dot filenames.
    - debian/patches/126-SECURITY-CVE-2008-5658.patch: clean up filename paths
      in ext/zip/php_zip.c with new php_zip_realpath_r(),
      php_zip_virtual_file_ex() and php_zip_make_relative_path() functions.
    - CVE-2008-5658

 -- Marc Deslauriers <email address hidden> Mon, 26 Jan 2009 08:43:21 -0500

Changed in php5:
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package php5 - 5.2.4-2ubuntu5.5

---------------
php5 (5.2.4-2ubuntu5.5) hardy-security; urgency=low

  * SECURITY UPDATE: php_admin_value and php_admin_flag restrictions bypass via
    ini_set. (LP: #228095)
    - debian/patches/120_SECURITY_CVE-2007-5900.patch: add new
      zend_alter_ini_entry_ex() function that extends zend_alter_ini_entry() by
      making sure the entry can be modified in Zend/zend_ini.{c,h},
      Zend/zend_vm_def.h, and Zend/zend_vm_execute.h.
    - CVE-2007-5900
  * SECURITY UPDATE: denial of service and possible arbitrary code execution
    via crafted font file. (LP: #286851)
    - debian/patches/121_SECURITY_CVE-2008-3658.patch: make sure font->nchars,
      font->h, and font->w don't cause overflows in ext/gd/gd.c. Also, add
      test script ext/gd/tests/imageloadfont_invalid.phpt.
    - CVE-2008-3658
  * SECURITY UPDATE: denial of service and possible arbitrary code execution
    via the delimiter argument to the explode function. (LP: #286851)
    - debian/patches/122_SECURITY_CVE-2008-3659.patch: make sure needle_length
      is sane in ext/standard/tests/strings/explode_bug.phpt. Also, add test
      script ext/standard/tests/strings/explode_bug.phpt.
    - CVE-2008-3659
  * SECURITY UPDATE: denial of service via a request with multiple dots
    preceding the extension. (ex: foo..php) (LP: #286851)
    - debian/patches/123_SECURITY_CVE-2008-3660.patch: improve .. cleaning with
      a new is_valid_path() function in sapi/cgi/cgi_main.c.
    - CVE-2008-3660
  * SECURITY UPDATE: mbstring extension arbitrary code execution via crafted
    string containing HTML entity. (LP: #317672)
    - debian/patches/124_SECURITY_CVE-2008-5557.patch: improve
      mbfl_filt_conv_html_dec_flush() error handling in
      ext/mbstring/libmbfl/filters/mbfilter_htmlent.c.
    - CVE-2008-5557
  * SECURITY UPDATE: safe_mode restriction bypass via unrestricted variable
    settings.
    - debian/patches/125_SECURITY_CVE-2008-5624.patch: make sure the page_uid
      and page_gid get initialized properly in ext/standard/basic_functions.c.
      Also, init server_context before processing config variables in
      sapi/apache/mod_php5.c.
    - CVE-2008-5624
  * SECURITY UPDATE: arbitrary file write by placing a "php_value error_log"
    entry in a .htaccess file.
    - debian/patches/126_SECURITY_CVE-2008-5625.patch: enforce restrictions
      when merging in dir entry in sapi/apache/mod_php5.c and
      sapi/apache2handler/apache_config.c.
    - CVE-2008-5625
  * SECURITY UPDATE: arbitrary file overwrite from directory traversal via zip
    file with dot-dot filenames.
    - debian/patches/127_SECURITY_CVE-2008-5658.patch: clean up filename paths
      in ext/zip/php_zip.c with new php_zip_realpath_r(),
      php_zip_virtual_file_ex() and php_zip_make_relative_path() functions.
    - CVE-2008-5658

 -- Marc Deslauriers <email address hidden> Tue, 27 Jan 2009 14:22:51 -0500

Changed in php5:
status: Confirmed → Fix Released
Changed in debian:
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.