CVE-2011-2202

Bug #813115 reported by Shaun Duncan on 2011-07-19
270
This bug affects 2 people
Affects Status Importance Assigned to Milestone
php5 (Ubuntu)
Medium
Unassigned
Hardy
Medium
Steve Beattie
Lucid
Medium
Steve Beattie
Maverick
Medium
Steve Beattie
Natty
Medium
Steve Beattie
Oneiric
Medium
Unassigned

Bug Description

Release 5.3.6-11ubuntu1 of php5 main/rfc1867.c requires patch released at http://svn.php.net/viewvc?view=revision&revision=312103 that prevents file path injection vulnerability.

visibility: private → public
Changed in php5 (Ubuntu Hardy):
importance: Undecided → Medium
status: New → Confirmed
Changed in php5 (Ubuntu Lucid):
importance: Undecided → Medium
status: New → Confirmed
Changed in php5 (Ubuntu Maverick):
importance: Undecided → Medium
status: New → Confirmed
Changed in php5 (Ubuntu Natty):
importance: Undecided → Medium
status: New → Confirmed
Changed in php5 (Ubuntu Oneiric):
importance: Undecided → Medium
status: New → Confirmed
Angel Abad (angelabad) wrote :

This patch is appliend in 5.3.6-13ubuntu1 upload

Changed in php5 (Ubuntu Oneiric):
status: Confirmed → Fix Released
Angel Abad (angelabad) on 2011-09-18
tags: removed: 5.3.6-11ubuntu1 cve-2011-2202 php5
Angel Abad (angelabad) wrote :

php5 (5.3.5-1ubuntu7.3) natty-security; urgency=low

  * SECURITY UPDATE: File path injection vulnerability in RFC1867 File
    upload filename (LP: #813115)
    - debian/patches/php5-CVE-2011-2202.patch:
    - CVE-2011-2202

 -- Angel Abad <email address hidden> Sun, 18 Sep 2011 15:41:14 +0200

Angel Abad (angelabad) wrote :

php5 (5.3.3-1ubuntu9.6) maverick-security; urgency=low

  * SECURITY UPDATE: File path injection vulnerability in RFC1867 File
    upload filename (LP: #813115)
    - debian/patches/php5-CVE-2011-2202.patch:
    - CVE-2011-2202

 -- Angel Abad <email address hidden> Sun, 18 Sep 2011 21:18:32 +0200

Changed in php5 (Ubuntu Lucid):
assignee: nobody → Angel Abad (angelabad)
status: Confirmed → In Progress
Changed in php5 (Ubuntu Hardy):
assignee: nobody → Angel Abad (angelabad)
status: Confirmed → In Progress
Angel Abad (angelabad) wrote :

php5 (5.3.2-1ubuntu4.10) lucid-security; urgency=low

  * SECURITY UPDATE: File path injection vulnerability in RFC1867 File
    upload filename (LP: #813115)
    - debian/patches/php5-CVE-2011-2202.patch:
    - CVE-2011-2202

 -- Angel Abad <email address hidden> Sun, 18 Sep 2011 22:17:07 +0200

Changed in php5 (Ubuntu Lucid):
assignee: Angel Abad (angelabad) → nobody
status: In Progress → Confirmed
Marc Deslauriers (mdeslaur) wrote :

Thanks for the debdiffs. Subscribing ubuntu-security-sponsors.

Angel Abad (angelabad) wrote :

php5 (5.2.4-2ubuntu5.18) hardy-security; urgency=low

  * SECURITY UPDATE: File path injection vulnerability in RFC1867 File
    upload filename (LP: #813115)
    - debian/patches/php5-CVE-2011-2202.patch:
    - CVE-2011-2202

 -- Angel Abad <email address hidden> Sun, 18 Sep 2011 22:33:47 +0200

Angel Abad (angelabad) wrote :

Last debdiff...

Changed in php5 (Ubuntu Hardy):
assignee: Angel Abad (angelabad) → nobody
status: In Progress → Confirmed
Steve Beattie (sbeattie) wrote :

Angel,

Thanks, these debdiffs look good, I'll incorporate them as there are other open CVEs for php5 that need to be addressed (see http://people.canonical.com/~ubuntu-security/cve/pkg/php5.html ).

Assigning to myself.

Changed in php5 (Ubuntu Hardy):
assignee: nobody → Steve Beattie (sbeattie)
Changed in php5 (Ubuntu Lucid):
assignee: nobody → Steve Beattie (sbeattie)
Changed in php5 (Ubuntu Maverick):
assignee: nobody → Steve Beattie (sbeattie)
Changed in php5 (Ubuntu Natty):
assignee: nobody → Steve Beattie (sbeattie)
Angel Abad (angelabad) wrote :

Thanks Steve, I'll take a look to these CVEs

Jamie Strandboge (jdstrand) wrote :

Unsubscribing ubuntu-security-sponsors since Steve is handling this as part of his update.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package php5 - 5.3.5-1ubuntu7.3

---------------
php5 (5.3.5-1ubuntu7.3) natty-security; urgency=low

  [ Angel Abad ]
  * SECURITY UPDATE: File path injection vulnerability in RFC1867 File
    upload filename (LP: #813115)
    - debian/patches/php5-CVE-2011-2202.patch:
    - CVE-2011-2202
  * SECURITY UPDATE: Fixed stack buffer overflow in socket_connect()
    (LP: #813110)
    - debian/patches/php5-CVE-2011-1938.patch:
    - CVE-2011-1938

  [ Steve Beattie ]
  * SECURITY UPDATE: DoS in zip handling due to addGlob() crashing
    on invalid flags
    - debian/patches/php5-CVE-2011-1657.patch: check for valid flags
    - CVE-2011-1657
  * SECURITY UPDATE: crypt_blowfish doesn't properly handle 8-bit
    (non-ascii) passwords leading to a smaller collision space
    - debian/patches/php5-CVE-2011-2483.patch: update crypt_blowfish
      to 1.2 to correct handling of passwords containing 8-bit
      (non-ascii) characters.
      CVE-2011-2483
  * SECURITY UPDATE: DoS due to failure to check for memory allocation errors
    - debian/patches/php5-CVE-2011-3182.patch: check the return values
      of the malloc, calloc, and realloc functions
    - CVE-2011-3182
  * SECURITY UPDATE: DoS in errorlog() when passed NULL
    - debian/patches/php5-CVE-2011-3267.patch: fix NULL pointer crash in
      errorlog()
    - CVE-2011-3267
  * debian/patches/fix_crash_in__php_mssql_get_column_content_without_type.patch:
    refresh patch to make it cleanly apply.
 -- Steve Beattie <email address hidden> Thu, 13 Oct 2011 13:49:23 -0700

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package php5 - 5.3.3-1ubuntu9.6

---------------
php5 (5.3.3-1ubuntu9.6) maverick-security; urgency=low

  [ Angel Abad ]
  * SECURITY UPDATE: File path injection vulnerability in RFC1867 File
    upload filename (LP: #813115)
    - debian/patches/php5-CVE-2011-2202.patch:
    - CVE-2011-2202
  * SECURITY UPDATE: Fixed stack buffer overflow in socket_connect()
    (LP: #813110)
    - debian/patches/php5-CVE-2011-1938.patch:
    - CVE-2011-1938

  [ Steve Beattie ]
  * SECURITY UPDATE: DoS in zip handling due to addGlob() crashing
    on invalid flags
    - debian/patches/php5-CVE-2011-1657.patch: check for valid flags
    - CVE-2011-1657
  * SECURITY UPDATE: crypt_blowfish doesn't properly handle 8-bit
    (non-ascii) passwords leading to a smaller collision space
    - debian/patches/php5-CVE-2011-2483.patch: update crypt_blowfish
      to 1.2 to correct handling of passwords containing 8-bit
      (non-ascii) characters.
      CVE-2011-2483
  * SECURITY UPDATE: DoS due to failure to check for memory allocation errors
    - debian/patches/php5-CVE-2011-3182.patch: check the return values
      of the malloc, calloc, and realloc functions
    - CVE-2011-3182
  * SECURITY UPDATE: DoS in errorlog() when passed NULL
    - debian/patches/php5-CVE-2011-3267.patch: fix NULL pointer crash in
      errorlog()
    - CVE-2011-3267
 -- Steve Beattie <email address hidden> Thu, 13 Oct 2011 13:56:23 -0700

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package php5 - 5.3.2-1ubuntu4.10

---------------
php5 (5.3.2-1ubuntu4.10) lucid-security; urgency=low

  [ Angel Abad ]
  * SECURITY UPDATE: File path injection vulnerability in RFC1867 File
    upload filename (LP: #813115)
    - debian/patches/php5-CVE-2011-2202.patch:
    - CVE-2011-2202
  * SECURITY UPDATE: Fixed stack buffer overflow in socket_connect()
    (LP: #813110)
    - debian/patches/php5-CVE-2011-1938.patch:
    - CVE-2011-1938

  [ Steve Beattie ]
  * SECURITY UPDATE: DoS in zip handling due to addGlob() crashing
    on invalid flags
    - debian/patches/php5-CVE-2011-1657.patch: check for valid flags
    - CVE-2011-1657
  * SECURITY UPDATE: crypt_blowfish doesn't properly handle 8-bit
    (non-ascii) passwords leading to a smaller collision space
    - debian/patches/php5-CVE-2011-2483.patch: update crypt_blowfish
      to 1.2 to correct handling of passwords containing 8-bit
      (non-ascii) characters.
      CVE-2011-2483
  * SECURITY UPDATE: DoS due to failure to check for memory allocation errors
    - debian/patches/php5-CVE-2011-3182.patch: check the return values
      of the malloc, calloc, and realloc functions
    - CVE-2011-3182
  * SECURITY UPDATE: DoS in errorlog() when passed NULL
    - debian/patches/php5-CVE-2011-3267.patch: fix NULL pointer crash in
      errorlog()
    - CVE-2011-3267
  * SECURITY UPDATE: information leak via handler interrupt (LP: #852871)
    - debian/patches/php5-CVE-2010-1914.patch: grab references before
      calling zendi_convert_to_long()
    - CVE-2010-1914
 -- Steve Beattie <email address hidden> Fri, 14 Oct 2011 14:24:59 -0700

Changed in php5 (Ubuntu Lucid):
status: Confirmed → Fix Released
Changed in php5 (Ubuntu Maverick):
status: Confirmed → Fix Released
Changed in php5 (Ubuntu Natty):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package php5 - 5.2.4-2ubuntu5.18

---------------
php5 (5.2.4-2ubuntu5.18) hardy-security; urgency=low

  [ Angel Abad ]
  * SECURITY UPDATE: File path injection vulnerability in RFC1867 File
    upload filename (LP: #813115)
    - debian/patches/php5-CVE-2011-2202.patch:
    - CVE-2011-2202

  [ Steve Beattie ]
  * SECURITY UPDATE: DoS due to failure to check for memory allocation errors
    - debian/patches/php5-CVE-2011-3182.patch: check the return values
      of the malloc, calloc, and realloc functions
    - CVE-2011-3182
  * SECURITY UPDATE: Information leak via strchr interrupt (LP: #852865)
    - debian/patches/php5-CVE-2010-2484.patch: grab references before
      converting to string
    - CVE-2010-2484
 -- Steve Beattie <email address hidden> Fri, 14 Oct 2011 20:10:17 -0700

Changed in php5 (Ubuntu Hardy):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers