Articles / Red Hat: Updated PHP packag…

Red Hat: Updated PHP packages fix multiple security issues

PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. An integer overflow was discovered in the PHP memory handling routines. If a script can cause memory allocation based on untrusted user data, a remote attacker sending a carefully crafted request could execute arbitrary code as the 'apache' user. A buffer overflow was discovered in the PHP sscanf() function. If a script used the sscanf() function with positional arguments in the format string, a remote attacker sending a carefully crafted request could execute arbitrary code as the 'apache' user. An integer overflow was discovered in the PHP wordwrap() and str_repeat() functions. If a script running on a 64-bit server used either of these functions on untrusted user data, a remote attacker sending a carefully crafted request might be able to cause a heap overflow. A buffer overflow was discovered in the PHP gd extension. If a script was set up to process GIF images from untrusted sources using the gd extension, a remote attacker could cause a heap overflow. A buffer overread was discovered in the PHP stripos() function. If a script used the stripos() function with untrusted user data, PHP may read past the end of a buffer, which could allow a denial of service attack by a remote user. An integer overflow was discovered in the PHP memory allocation handling. On 64-bit platforms, the "memory_limit" setting was not enforced correctly, which could allow a denial of service attack by a remote user. Fixed packages are available from updates.redhat.com.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ---------------------------------------------------------------------
                   Red Hat Security Advisory

Synopsis:          Important: php security update
Advisory ID:       RHSA-2006:0688-01
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2006-0688.html
Issue date:        2006-10-05
Updated on:        2006-10-05
Product:           Red Hat Application Stack
CVE Names:         CVE-2006-4020 CVE-2006-4482 CVE-2006-4484 
                   CVE-2006-4485 CVE-2006-4486 CVE-2006-4812 
- ---------------------------------------------------------------------

1. Summary:

Updated PHP packages that fix multiple security issues are now available
for the Red Hat Application Stack.

This update has been rated as having important security impact by the Red
Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Application Stack v1 for Enterprise Linux AS (v.4) - i386, x86_64
Red Hat Application Stack v1 for Enterprise Linux ES (v.4) - i386, x86_64

3. Problem description:

PHP is an HTML-embedded scripting language commonly used with the Apache
HTTP Web server.

An integer overflow was discovered in the PHP memory handling routines. If
a script can cause memory allocation based on untrusted user data, a remote
attacker sending a carefully crafted request could execute arbitrary code
as the 'apache' user.  (CVE-2006-4812)

A buffer overflow was discovered in the PHP sscanf() function.  If a script
used the sscanf() function with positional arguments in the format string,
a remote attacker sending a carefully crafted request could execute
arbitrary code as the 'apache' user.  (CVE-2006-4020)

An integer overflow was discovered in the PHP wordwrap() and str_repeat()
functions.  If a script running on a 64-bit server used either of these
functions on untrusted user data, a remote attacker sending a carefully
crafted request might be able to cause a heap overflow.  (CVE-2006-4482)

A buffer overflow was discovered in the PHP gd extension. If a script was
set up to process GIF images from untrusted sources using the gd extension,
a remote attacker could cause a heap overflow. (CVE-2006-4484)

A buffer overread was discovered in the PHP stripos() function.  If a
script used the stripos() function with untrusted user data, PHP may read
past the end of a buffer, which could allow a denial of service attack by a
remote user. (CVE-2006-4485)

An integer overflow was discovered in the PHP memory allocation handling. 
On 64-bit platforms, the "memory_limit" setting was not enforced correctly,
which could allow a denial of service attack by a remote user. (CVE-2006-4486)

These packages also contain a fix for a bug where certain input strings to
the metaphone() function could cause memory corruption.

Users of PHP should upgrade to these updated packages, which contain
backported patches to correct these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via Red Hat Network.  To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

5. Bug IDs fixed (http://bugzilla.redhat.com/):

207090 - CVE-2006-4020 PHP security issues (CVE-2006-4482 CVE-2006-4484 CVE-2006-4485 CVE-2006-4486)
209408 - CVE-2006-4812 PHP ecalloc integer overflow

6. RPMs required:

Red Hat Application Stack v1 for Enterprise Linux AS (v.4):

SRPMS:
ftp://updates.redhat.com/4AS-RHWAS/en/os/SRPMS/php-5.1.4-1.el4s1.4.src.rpm
8450536ffd216fffd7a2c350ef2d8122  php-5.1.4-1.el4s1.4.src.rpm

i386:
d8504a875caf435ac3d87be51da23cbb  php-5.1.4-1.el4s1.4.i386.rpm
0b093ab3604f91f031e77fc374851333  php-bcmath-5.1.4-1.el4s1.4.i386.rpm
be94330943e42d6ce9795ac1aa005c5c  php-dba-5.1.4-1.el4s1.4.i386.rpm
6a69ac6b8f30363beb5eb774ae8a7582  php-debuginfo-5.1.4-1.el4s1.4.i386.rpm
89e204920cedc8129dca821268de2fdb  php-devel-5.1.4-1.el4s1.4.i386.rpm
9404807f4baab567cebf50e00dc0328c  php-gd-5.1.4-1.el4s1.4.i386.rpm
c08f52b6d7dbb729e09f4b95f89562b1  php-imap-5.1.4-1.el4s1.4.i386.rpm
9944e216a9b9d6b06a73d620e2d5a26e  php-ldap-5.1.4-1.el4s1.4.i386.rpm
399033da724e5d135fbd4c5bea8641a3  php-mbstring-5.1.4-1.el4s1.4.i386.rpm
8cdb68afa789a1744f9c0cc4cb25f680  php-mysql-5.1.4-1.el4s1.4.i386.rpm
80b3a6b0e0b029255fea1ae1b892b3a8  php-ncurses-5.1.4-1.el4s1.4.i386.rpm
67fe4b574af94f99e22042e0b1b0617d  php-odbc-5.1.4-1.el4s1.4.i386.rpm
f3794d4b2cc0c41efb3029efea456129  php-pdo-5.1.4-1.el4s1.4.i386.rpm
ff9b98642ebf3726ab189b8b07c78cf4  php-pgsql-5.1.4-1.el4s1.4.i386.rpm
42144bb23cfba2f20967d280f6bc4087  php-snmp-5.1.4-1.el4s1.4.i386.rpm
dfe2fdeecd4fc439bad8c05e2abdefac  php-soap-5.1.4-1.el4s1.4.i386.rpm
877b079373e5d1809d7c4e092b04c12a  php-xml-5.1.4-1.el4s1.4.i386.rpm
b2a43cb90b877484085c562d931daa06  php-xmlrpc-5.1.4-1.el4s1.4.i386.rpm

x86_64:
21e04b311dc5f7b9bef079dc1dbdd01a  php-5.1.4-1.el4s1.4.x86_64.rpm
372a46e2847f69de0b14ca16cb43eaf3  php-bcmath-5.1.4-1.el4s1.4.x86_64.rpm
23531793db020c866ebe475fcddf750d  php-dba-5.1.4-1.el4s1.4.x86_64.rpm
5327f3805a18b235140ba91ece545400  php-debuginfo-5.1.4-1.el4s1.4.x86_64.rpm
db2a441639cae736640e13ab7cbe133a  php-devel-5.1.4-1.el4s1.4.x86_64.rpm
1634a9dc26e120084a6fe49262e0f0e0  php-gd-5.1.4-1.el4s1.4.x86_64.rpm
45becd8779a8da71b139b1ba3ee9400e  php-imap-5.1.4-1.el4s1.4.x86_64.rpm
3b2ef5dede854065651495602fa6c126  php-ldap-5.1.4-1.el4s1.4.x86_64.rpm
5d27f29c72f624c1a868f3cdbefd0b77  php-mbstring-5.1.4-1.el4s1.4.x86_64.rpm
edaafb7eca7e3c41acbf69259c525d14  php-mysql-5.1.4-1.el4s1.4.x86_64.rpm
c15c8d27058ad09b838a53b4f4c81b6e  php-ncurses-5.1.4-1.el4s1.4.x86_64.rpm
d888187eb18ffa7f46550138d84700fa  php-odbc-5.1.4-1.el4s1.4.x86_64.rpm
6d5d2387c96663442bf90b9a2cb45253  php-pdo-5.1.4-1.el4s1.4.x86_64.rpm
c68935c8f98ea97fc468c173c6d36509  php-pgsql-5.1.4-1.el4s1.4.x86_64.rpm
a7ac3a5427b16926fae2e91f347ea585  php-snmp-5.1.4-1.el4s1.4.x86_64.rpm
8143af224065383c5518c5f0b8764fb2  php-soap-5.1.4-1.el4s1.4.x86_64.rpm
1255ae1a27002b314951340ef15d886f  php-xml-5.1.4-1.el4s1.4.x86_64.rpm
19d384ad3ccaf7fa73c21ffa7ff012c8  php-xmlrpc-5.1.4-1.el4s1.4.x86_64.rpm

Red Hat Application Stack v1 for Enterprise Linux ES (v.4):

SRPMS:
ftp://updates.redhat.com/4ES-RHWAS/en/os/SRPMS/php-5.1.4-1.el4s1.4.src.rpm
8450536ffd216fffd7a2c350ef2d8122  php-5.1.4-1.el4s1.4.src.rpm

i386:
d8504a875caf435ac3d87be51da23cbb  php-5.1.4-1.el4s1.4.i386.rpm
0b093ab3604f91f031e77fc374851333  php-bcmath-5.1.4-1.el4s1.4.i386.rpm
be94330943e42d6ce9795ac1aa005c5c  php-dba-5.1.4-1.el4s1.4.i386.rpm
6a69ac6b8f30363beb5eb774ae8a7582  php-debuginfo-5.1.4-1.el4s1.4.i386.rpm
89e204920cedc8129dca821268de2fdb  php-devel-5.1.4-1.el4s1.4.i386.rpm
9404807f4baab567cebf50e00dc0328c  php-gd-5.1.4-1.el4s1.4.i386.rpm
c08f52b6d7dbb729e09f4b95f89562b1  php-imap-5.1.4-1.el4s1.4.i386.rpm
9944e216a9b9d6b06a73d620e2d5a26e  php-ldap-5.1.4-1.el4s1.4.i386.rpm
399033da724e5d135fbd4c5bea8641a3  php-mbstring-5.1.4-1.el4s1.4.i386.rpm
8cdb68afa789a1744f9c0cc4cb25f680  php-mysql-5.1.4-1.el4s1.4.i386.rpm
80b3a6b0e0b029255fea1ae1b892b3a8  php-ncurses-5.1.4-1.el4s1.4.i386.rpm
67fe4b574af94f99e22042e0b1b0617d  php-odbc-5.1.4-1.el4s1.4.i386.rpm
f3794d4b2cc0c41efb3029efea456129  php-pdo-5.1.4-1.el4s1.4.i386.rpm
ff9b98642ebf3726ab189b8b07c78cf4  php-pgsql-5.1.4-1.el4s1.4.i386.rpm
42144bb23cfba2f20967d280f6bc4087  php-snmp-5.1.4-1.el4s1.4.i386.rpm
dfe2fdeecd4fc439bad8c05e2abdefac  php-soap-5.1.4-1.el4s1.4.i386.rpm
877b079373e5d1809d7c4e092b04c12a  php-xml-5.1.4-1.el4s1.4.i386.rpm
b2a43cb90b877484085c562d931daa06  php-xmlrpc-5.1.4-1.el4s1.4.i386.rpm

x86_64:
21e04b311dc5f7b9bef079dc1dbdd01a  php-5.1.4-1.el4s1.4.x86_64.rpm
372a46e2847f69de0b14ca16cb43eaf3  php-bcmath-5.1.4-1.el4s1.4.x86_64.rpm
23531793db020c866ebe475fcddf750d  php-dba-5.1.4-1.el4s1.4.x86_64.rpm
5327f3805a18b235140ba91ece545400  php-debuginfo-5.1.4-1.el4s1.4.x86_64.rpm
db2a441639cae736640e13ab7cbe133a  php-devel-5.1.4-1.el4s1.4.x86_64.rpm
1634a9dc26e120084a6fe49262e0f0e0  php-gd-5.1.4-1.el4s1.4.x86_64.rpm
45becd8779a8da71b139b1ba3ee9400e  php-imap-5.1.4-1.el4s1.4.x86_64.rpm
3b2ef5dede854065651495602fa6c126  php-ldap-5.1.4-1.el4s1.4.x86_64.rpm
5d27f29c72f624c1a868f3cdbefd0b77  php-mbstring-5.1.4-1.el4s1.4.x86_64.rpm
edaafb7eca7e3c41acbf69259c525d14  php-mysql-5.1.4-1.el4s1.4.x86_64.rpm
c15c8d27058ad09b838a53b4f4c81b6e  php-ncurses-5.1.4-1.el4s1.4.x86_64.rpm
d888187eb18ffa7f46550138d84700fa  php-odbc-5.1.4-1.el4s1.4.x86_64.rpm
6d5d2387c96663442bf90b9a2cb45253  php-pdo-5.1.4-1.el4s1.4.x86_64.rpm
c68935c8f98ea97fc468c173c6d36509  php-pgsql-5.1.4-1.el4s1.4.x86_64.rpm
a7ac3a5427b16926fae2e91f347ea585  php-snmp-5.1.4-1.el4s1.4.x86_64.rpm
8143af224065383c5518c5f0b8764fb2  php-soap-5.1.4-1.el4s1.4.x86_64.rpm
1255ae1a27002b314951340ef15d886f  php-xml-5.1.4-1.el4s1.4.x86_64.rpm
19d384ad3ccaf7fa73c21ffa7ff012c8  php-xmlrpc-5.1.4-1.el4s1.4.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and 
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4020
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4482
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4484
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4485
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4486
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4812
http://www.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is .  More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2006 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFFJO9IXlSAg2UNWIIRAozxAJwNsQSNktv8JuyqHgkmUaFz/1nSPACgwW7i
so2WVMWnfwhHzi9F9VYISwE=
=hl2j
-----END PGP SIGNATURE-----
Screenshot

Project Spotlight

Kigo Video Converter Ultimate for Mac

A tool for converting and editing videos.

Screenshot

Project Spotlight

Kid3

An efficient tagger for MP3, Ogg/Vorbis, and FLAC files.