USN-862-1: PHP vulnerabilities

Ubuntu Security Notice USN-862-1

26th November, 2009

php5 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 9.10
  • Ubuntu 9.04
  • Ubuntu 8.10
  • Ubuntu 8.04 LTS
  • Ubuntu 6.06 LTS

Software description

  • php5

Details

Maksymilian Arciemowicz discovered that PHP did not properly validate
arguments to the dba_replace function. If a script passed untrusted input
to the dba_replace function, an attacker could truncate the database. This
issue only applied to Ubuntu 6.06 LTS, 8.04 LTS, and 8.10. (CVE-2008-7068)

It was discovered that PHP's php_openssl_apply_verification_policy
function did not correctly handle SSL certificates with zero bytes in the
Common Name. A remote attacker could exploit this to perform a man in the
middle attack to view sensitive information or alter encrypted
communications. (CVE-2009-3291)

It was discovered that PHP did not properly handle certain malformed images
when being parsed by the Exif module. A remote attacker could exploit this
flaw and cause the PHP server to crash, resulting in a denial of service.
(CVE-2009-3292)

Grzegorz Stachowiak discovered that PHP did not properly enforce
restrictions in the tempnam function. An attacker could exploit this issue
to bypass safe_mode restrictions. (CVE-2009-3557)

Grzegorz Stachowiak discovered that PHP did not properly enforce
restrictions in the posix_mkfifo function. An attacker could exploit this
issue to bypass open_basedir restrictions. (CVE-2009-3558)

Bogdan Calin discovered that PHP did not limit the number of temporary
files created when handling multipart/form-data POST requests. A remote
attacker could exploit this flaw and cause the PHP server to consume all
available resources, resulting in a denial of service. (CVE-2009-4017)

ATTENTION: This update changes previous PHP behaviour by limiting the
number of files in a POST request to 50. This may be increased by adding a
"max_file_uploads" directive to the php.ini configuration file.

It was discovered that PHP did not properly enforce restrictions in the
proc_open function. An attacker could exploit this issue to bypass
safe_mode_protected_env_vars restrictions and possibly execute arbitrary
code with application privileges. (CVE-2009-4018)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 9.10:
php5-cli 5.2.10.dfsg.1-2ubuntu6.3
php5-cgi 5.2.10.dfsg.1-2ubuntu6.3
libapache2-mod-php5 5.2.10.dfsg.1-2ubuntu6.3
Ubuntu 9.04:
php5-cli 5.2.6.dfsg.1-3ubuntu4.4
php5-cgi 5.2.6.dfsg.1-3ubuntu4.4
libapache2-mod-php5 5.2.6.dfsg.1-3ubuntu4.4
Ubuntu 8.10:
php5-cli 5.2.6-2ubuntu4.5
php5-cgi 5.2.6-2ubuntu4.5
libapache2-mod-php5 5.2.6-2ubuntu4.5
Ubuntu 8.04 LTS:
php5-cli 5.2.4-2ubuntu5.9
php5-cgi 5.2.4-2ubuntu5.9
libapache2-mod-php5 5.2.4-2ubuntu5.9
Ubuntu 6.06 LTS:
php5-cli 5.1.2-1ubuntu3.17
php5-cgi 5.1.2-1ubuntu3.17
libapache2-mod-php5 5.1.2-1ubuntu3.17

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system upgrade is sufficient to effect the
necessary changes.

References

CVE-2008-7068, CVE-2009-3291, CVE-2009-3292, CVE-2009-3557, CVE-2009-3558, CVE-2009-4017, CVE-2009-4018