Articles / Red Hat: Updated PHP packag…

Red Hat: Updated PHP packages fix several security issues

PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A number of buffer overflow flaws were found in the PHP session extension; the str_replace() function; and the imap_mail_compose() function. If very long strings were passed to the str_replace() function, an integer overflow could occur in memory allocation. If a script used the imap_mail_compose() function to create a new MIME message based on an input body from an untrusted source, it could result in a heap overflow. An attacker with access to a PHP application affected by any these issues could trigger the flaws and possibly execute arbitrary code as the 'apache' user. When unserializing untrusted data on 64-bit platforms, the zend_hash_init() function could be forced into an infinite loop, consuming CPU resources for a limited time, until the script timeout alarm aborted execution of the script. If the wddx extension was used to import WDDX data from an untrusted source, certain WDDX input packets could expose a random portion of heap memory. If the odbc_result_all() function was used to display data from a database, and the database table contents were under an attacker's control, a format string vulnerability was possible which could allow arbitrary code execution. A one byte memory read always occurs before the beginning of a buffer. This could be triggered, for example, by any use of the header() function in a script. However it is unlikely that this would have any effect. Several flaws in PHP could allow attackers to "clobber" certain super-global variables via unspecified vectors. An input validation bug allowed a remote attacker to trigger a denial of service attack by submitting an input variable with a deeply-nested-array. Fixed packages are available from updates.redhat.com.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ---------------------------------------------------------------------
                   Red Hat Security Advisory

Synopsis:          Important: php security update
Advisory ID:       RHSA-2007:0082-02
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2007-0082.html
Issue date:        2007-03-13
Updated on:        2007-03-14
Product:           Red Hat Enterprise Linux
CVE Names:         CVE-2007-0906 CVE-2007-0907 CVE-2007-0908 
                   CVE-2007-0909 CVE-2007-0988 CVE-2007-0910 
                   CVE-2007-1285 
- ---------------------------------------------------------------------

1. Summary:

Updated PHP packages that fix several security issues are now available for
Red Hat Enterprise Linux 5.

This update has been rated as having important security impact by the Red
Hat Security Response Team.

2. Relevant releases/architectures:

RHEL Desktop Workstation (v. 5 client) - i386, x86_64
Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64

3. Problem description:

PHP is an HTML-embedded scripting language commonly used with the Apache
HTTP Web server. 

A number of buffer overflow flaws were found in the PHP session extension;
the str_replace() function; and the imap_mail_compose() function. If very
long strings were passed to the str_replace() function, an integer
overflow could occur in memory allocation. If a script used the
imap_mail_compose() function to create a new MIME message based on an
input body from an untrusted source, it could result in a heap overflow.
An attacker with access to a PHP application affected by any these issues
could trigger the flaws and possibly execute arbitrary code as the
'apache' user. (CVE-2007-0906)

When unserializing untrusted data on 64-bit platforms, the
zend_hash_init() function could be forced into an infinite loop, consuming
CPU resources for a limited time, until the script timeout alarm aborted
execution of the script. (CVE-2007-0988)

If the wddx extension was used to import WDDX data from an untrusted
source, certain WDDX input packets could expose a random portion of heap
memory. (CVE-2007-0908)

If the odbc_result_all() function was used to display data from a
database, and the database table contents were under an attacker's
control, a format string vulnerability was possible which could allow
arbitrary code execution. (CVE-2007-0909)

A one byte memory read always occurs before the beginning of a buffer.
This could be triggered, for example, by any use of the header() function
in a script. However it is unlikely that this would have any effect.
(CVE-2007-0907)

Several flaws in PHP could allow attackers to "clobber" certain
super-global variables via unspecified vectors. (CVE-2007-0910)

An input validation bug allowed a remote attacker to trigger a denial of
service attack by submitting an input variable with a deeply-nested-array.
(CVE-2007-1285)

Users of PHP should upgrade to these updated packages which contain
backported patches to correct these issues.

4. Solution:

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.  

This update is available via Red Hat Network.  Details on how to use 
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

5. Bug IDs fixed (http://bugzilla.redhat.com/):

229013 - CVE-2007-0906 PHP security issues (CVE-2007-0907, CVE-2007-0908, CVE-2007-0909,  CVE-2007-0910, CVE-2007-0988)
231597 - CVE-2007-1285 PHP Variable Destructor Deep Recursion Stack Overflow

6. RPMs required:

RHEL Desktop Workstation (v. 5 client):

SRPMS:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/php-5.1.6-7.el5.src.rpm
d346826e0a542ea5f6a0c21ec5c0de89  php-5.1.6-7.el5.src.rpm

i386:
a769b8752da878a65ad0991e5f35f1f3  php-5.1.6-7.el5.i386.rpm
26c852cd82b4a12e69fda6cc8a915ff2  php-bcmath-5.1.6-7.el5.i386.rpm
091678f9d2328099ef5e04fc97df370b  php-cli-5.1.6-7.el5.i386.rpm
d41ed2907aec10d018e934c0c24c3ef6  php-common-5.1.6-7.el5.i386.rpm
97be9e8c8bfd86eead518ca713160b09  php-dba-5.1.6-7.el5.i386.rpm
975b56045493472002d6f670adc77a9e  php-debuginfo-5.1.6-7.el5.i386.rpm
c5d05e5fc1b528ffdb140c9d6a6e273d  php-devel-5.1.6-7.el5.i386.rpm
7d341380dc2fcbc68acb88c950e91aaa  php-gd-5.1.6-7.el5.i386.rpm
269b687f020b595b6a9447a1c361c559  php-imap-5.1.6-7.el5.i386.rpm
34f13e8e682038c7b4523a1db3507b17  php-ldap-5.1.6-7.el5.i386.rpm
926de31a1232612a801e75ffda10a922  php-mbstring-5.1.6-7.el5.i386.rpm
60bf1b4f73996c34a2e2533925b58799  php-mysql-5.1.6-7.el5.i386.rpm
ed479d680c6766b3f21a8ee3340c4cc6  php-ncurses-5.1.6-7.el5.i386.rpm
795129d527b17823d1b9ac0fb612a397  php-odbc-5.1.6-7.el5.i386.rpm
0c57393535d5823010d992dabcebe745  php-pdo-5.1.6-7.el5.i386.rpm
753ace56f59708f10e4ad03d466d0471  php-pgsql-5.1.6-7.el5.i386.rpm
31d5fe411fc3d13715c61da09e8a3b34  php-snmp-5.1.6-7.el5.i386.rpm
3778e27df82016b0726b54febaed59cb  php-soap-5.1.6-7.el5.i386.rpm
9d091c7a236f7a3c465899ee787e94a8  php-xml-5.1.6-7.el5.i386.rpm
b5d9236d70e76d14cac5acda60275d0c  php-xmlrpc-5.1.6-7.el5.i386.rpm

x86_64:
71badbd6e44d51cfba34a32a23cd95b2  php-5.1.6-7.el5.x86_64.rpm
960ae9a9d0e00cd547da7eec1955a5d9  php-bcmath-5.1.6-7.el5.x86_64.rpm
c9d24ac66104b4d096acb6822fb9f8c6  php-cli-5.1.6-7.el5.x86_64.rpm
1cd6237e2d51c55c19d6d3b7e2f81f5e  php-common-5.1.6-7.el5.x86_64.rpm
b079b7af288906711ccd3bf02b1a0027  php-dba-5.1.6-7.el5.x86_64.rpm
84f7f59eaab122c2e147279cb2bb23b3  php-debuginfo-5.1.6-7.el5.x86_64.rpm
6c69af2c7ed239a43c518b272c6cd3c8  php-devel-5.1.6-7.el5.x86_64.rpm
f2c4004d69f4eb094e80f5829fb33fc3  php-gd-5.1.6-7.el5.x86_64.rpm
26c944eb0a556ba0d6a634613b7f67bb  php-imap-5.1.6-7.el5.x86_64.rpm
eff06352104b02ccc24a85e68714a9e2  php-ldap-5.1.6-7.el5.x86_64.rpm
39592d7a4e4c48323ba426f48a56647d  php-mbstring-5.1.6-7.el5.x86_64.rpm
a5224c1cc1b10ebe5e4173e933ae5767  php-mysql-5.1.6-7.el5.x86_64.rpm
d3c8038ca9e8ac81aab049a2147b50b7  php-ncurses-5.1.6-7.el5.x86_64.rpm
67e7ee807842e2c6963b0fe558b8f311  php-odbc-5.1.6-7.el5.x86_64.rpm
c89b0119f58fd306ac673f338cc15b5f  php-pdo-5.1.6-7.el5.x86_64.rpm
55338806427f9d63e7400410ab563198  php-pgsql-5.1.6-7.el5.x86_64.rpm
b4c50e81b595e80ef9aa09f53c7c5eed  php-snmp-5.1.6-7.el5.x86_64.rpm
dd23b2ff36947c8bfe99e089837f664f  php-soap-5.1.6-7.el5.x86_64.rpm
71ea5f61663fd7e3d5c344eb7bfdce9a  php-xml-5.1.6-7.el5.x86_64.rpm
98ad623c7547160267c38608882c4109  php-xmlrpc-5.1.6-7.el5.x86_64.rpm

Red Hat Enterprise Linux (v. 5 server):

SRPMS:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/php-5.1.6-7.el5.src.rpm
d346826e0a542ea5f6a0c21ec5c0de89  php-5.1.6-7.el5.src.rpm

i386:
a769b8752da878a65ad0991e5f35f1f3  php-5.1.6-7.el5.i386.rpm
26c852cd82b4a12e69fda6cc8a915ff2  php-bcmath-5.1.6-7.el5.i386.rpm
091678f9d2328099ef5e04fc97df370b  php-cli-5.1.6-7.el5.i386.rpm
d41ed2907aec10d018e934c0c24c3ef6  php-common-5.1.6-7.el5.i386.rpm
97be9e8c8bfd86eead518ca713160b09  php-dba-5.1.6-7.el5.i386.rpm
975b56045493472002d6f670adc77a9e  php-debuginfo-5.1.6-7.el5.i386.rpm
c5d05e5fc1b528ffdb140c9d6a6e273d  php-devel-5.1.6-7.el5.i386.rpm
7d341380dc2fcbc68acb88c950e91aaa  php-gd-5.1.6-7.el5.i386.rpm
269b687f020b595b6a9447a1c361c559  php-imap-5.1.6-7.el5.i386.rpm
34f13e8e682038c7b4523a1db3507b17  php-ldap-5.1.6-7.el5.i386.rpm
926de31a1232612a801e75ffda10a922  php-mbstring-5.1.6-7.el5.i386.rpm
60bf1b4f73996c34a2e2533925b58799  php-mysql-5.1.6-7.el5.i386.rpm
ed479d680c6766b3f21a8ee3340c4cc6  php-ncurses-5.1.6-7.el5.i386.rpm
795129d527b17823d1b9ac0fb612a397  php-odbc-5.1.6-7.el5.i386.rpm
0c57393535d5823010d992dabcebe745  php-pdo-5.1.6-7.el5.i386.rpm
753ace56f59708f10e4ad03d466d0471  php-pgsql-5.1.6-7.el5.i386.rpm
31d5fe411fc3d13715c61da09e8a3b34  php-snmp-5.1.6-7.el5.i386.rpm
3778e27df82016b0726b54febaed59cb  php-soap-5.1.6-7.el5.i386.rpm
9d091c7a236f7a3c465899ee787e94a8  php-xml-5.1.6-7.el5.i386.rpm
b5d9236d70e76d14cac5acda60275d0c  php-xmlrpc-5.1.6-7.el5.i386.rpm

ia64:
59deca45db02df88f078a90d4b63a5e0  php-5.1.6-7.el5.ia64.rpm
78724383db37df0b5b6d3238d0546a4b  php-bcmath-5.1.6-7.el5.ia64.rpm
35a4becee4cba77a326cb5065e518aac  php-cli-5.1.6-7.el5.ia64.rpm
81211a5929b97c9b61f768ef7afa59fa  php-common-5.1.6-7.el5.ia64.rpm
a30941ed55d65041bd2fc02da0b4eec5  php-dba-5.1.6-7.el5.ia64.rpm
5303ed94098f13a8a73f616930a38bee  php-debuginfo-5.1.6-7.el5.ia64.rpm
44c8d443ec2c792f7645492956795d8c  php-devel-5.1.6-7.el5.ia64.rpm
956d3a5cfad2ced91d9abd53c2d54d2e  php-gd-5.1.6-7.el5.ia64.rpm
7d1dc114f00391a3ed80b7abce52bd42  php-imap-5.1.6-7.el5.ia64.rpm
c9f494abcaccb0dc69f5da39b5ef6e3c  php-ldap-5.1.6-7.el5.ia64.rpm
54c5bf8b6188859ccf89bd8ee5f1479c  php-mbstring-5.1.6-7.el5.ia64.rpm
cdd50f81d23f0970cbf6676943024e27  php-mysql-5.1.6-7.el5.ia64.rpm
363ef052d679f52e52060596971d984e  php-ncurses-5.1.6-7.el5.ia64.rpm
8e74366714aa43bca1ee3d7523e3308d  php-odbc-5.1.6-7.el5.ia64.rpm
a31e6f3cb40333d91cfea4cc1dc31be5  php-pdo-5.1.6-7.el5.ia64.rpm
c8a9283cb3b466074f8e2b5b71695cf9  php-pgsql-5.1.6-7.el5.ia64.rpm
54b5685395b3e38507253f6fceb3ad7a  php-snmp-5.1.6-7.el5.ia64.rpm
4fa28d4d0eea108631ae11dc24c507a7  php-soap-5.1.6-7.el5.ia64.rpm
f3b3cf435a9a27ea4508508b52be5e51  php-xml-5.1.6-7.el5.ia64.rpm
ba31d4201e6ba1c47a2be5d205ea320b  php-xmlrpc-5.1.6-7.el5.ia64.rpm

ppc:
b1431b1febce8f6a0da1b706b3e4a65d  php-5.1.6-7.el5.ppc.rpm
f6a464c2ee63ce883b41b6bd06c2525d  php-bcmath-5.1.6-7.el5.ppc.rpm
9c08683931c05da19969c88ed37dfa20  php-cli-5.1.6-7.el5.ppc.rpm
976bc9b3bef1c643d5f2bc4f4889263c  php-common-5.1.6-7.el5.ppc.rpm
41f8e6c1d21bf2aaecbd5f99aef96fc8  php-dba-5.1.6-7.el5.ppc.rpm
7f78105c12345bd1d8df7189b94f4c39  php-debuginfo-5.1.6-7.el5.ppc.rpm
56718bdd1283ebcf7d8e482e9b4bb45e  php-devel-5.1.6-7.el5.ppc.rpm
a884ad0bb5c9ccddb2aa48e5ec84b0ea  php-gd-5.1.6-7.el5.ppc.rpm
966418dde96d45630db83ab784a07b23  php-imap-5.1.6-7.el5.ppc.rpm
d13978e5285271326934106918a6c272  php-ldap-5.1.6-7.el5.ppc.rpm
d1e1122d2723ce66af63298629703d49  php-mbstring-5.1.6-7.el5.ppc.rpm
292b11fbcc67e277e0971758a55a60e1  php-mysql-5.1.6-7.el5.ppc.rpm
57763f1feff7a785191d5224a1ae9290  php-ncurses-5.1.6-7.el5.ppc.rpm
aac7f53adff7b9173fc581be6809cedc  php-odbc-5.1.6-7.el5.ppc.rpm
6aec0a62b0305cd4a887bb3d54b6ab91  php-pdo-5.1.6-7.el5.ppc.rpm
91a79293698ccafcea817a49576b6b1c  php-pgsql-5.1.6-7.el5.ppc.rpm
8176898811a0e898bfb0158adcd1228f  php-snmp-5.1.6-7.el5.ppc.rpm
cd324c31c751ce87d5e2875811979d7e  php-soap-5.1.6-7.el5.ppc.rpm
8374aaa3195e80cf03f21970aacdea06  php-xml-5.1.6-7.el5.ppc.rpm
1699a4cede424374f53db51a40d6c23f  php-xmlrpc-5.1.6-7.el5.ppc.rpm

s390x:
b4a2955f08aa005731c012c813801d5b  php-5.1.6-7.el5.s390x.rpm
b56b3928b80aeabef61cbe3198e482d2  php-bcmath-5.1.6-7.el5.s390x.rpm
7443d3356b3d062889d44eab3863fc8a  php-cli-5.1.6-7.el5.s390x.rpm
49c9eef065dbde46a4dd48cd074e004f  php-common-5.1.6-7.el5.s390x.rpm
d2cfd29995ce8dca7db53b85634dfe18  php-dba-5.1.6-7.el5.s390x.rpm
a8d0842fc94886bfed462d5df2be7de1  php-debuginfo-5.1.6-7.el5.s390x.rpm
37d02d98287aa59b7ebd1dd5b2ea3f04  php-devel-5.1.6-7.el5.s390x.rpm
9efbd00b56547364d6ca50e8c1321d00  php-gd-5.1.6-7.el5.s390x.rpm
75932b10f243bace44feaad9370dd9a8  php-imap-5.1.6-7.el5.s390x.rpm
6f45228c38354873e0d6b72a371ff932  php-ldap-5.1.6-7.el5.s390x.rpm
2b4708e0e7d21060c57a84721d714c26  php-mbstring-5.1.6-7.el5.s390x.rpm
0b6d512aeb6489877db6aefaf0e2df09  php-mysql-5.1.6-7.el5.s390x.rpm
9f7f86b4d351f5bd2c44b909c0911c4c  php-ncurses-5.1.6-7.el5.s390x.rpm
d488c8e34ed2d15d4cd1d66e3757da0e  php-odbc-5.1.6-7.el5.s390x.rpm
28628c46d048241cf3670b93309a364b  php-pdo-5.1.6-7.el5.s390x.rpm
768215dba4ffd10112b7d31507898802  php-pgsql-5.1.6-7.el5.s390x.rpm
95755db467614b64b65531616206bb3e  php-snmp-5.1.6-7.el5.s390x.rpm
48d2893c0e654f5973ca6588faa362d9  php-soap-5.1.6-7.el5.s390x.rpm
01ecda2d3055673ade18449218ca1995  php-xml-5.1.6-7.el5.s390x.rpm
cac4acbde1d01621fe6bf9ca332e4ebc  php-xmlrpc-5.1.6-7.el5.s390x.rpm

x86_64:
71badbd6e44d51cfba34a32a23cd95b2  php-5.1.6-7.el5.x86_64.rpm
960ae9a9d0e00cd547da7eec1955a5d9  php-bcmath-5.1.6-7.el5.x86_64.rpm
c9d24ac66104b4d096acb6822fb9f8c6  php-cli-5.1.6-7.el5.x86_64.rpm
1cd6237e2d51c55c19d6d3b7e2f81f5e  php-common-5.1.6-7.el5.x86_64.rpm
b079b7af288906711ccd3bf02b1a0027  php-dba-5.1.6-7.el5.x86_64.rpm
84f7f59eaab122c2e147279cb2bb23b3  php-debuginfo-5.1.6-7.el5.x86_64.rpm
6c69af2c7ed239a43c518b272c6cd3c8  php-devel-5.1.6-7.el5.x86_64.rpm
f2c4004d69f4eb094e80f5829fb33fc3  php-gd-5.1.6-7.el5.x86_64.rpm
26c944eb0a556ba0d6a634613b7f67bb  php-imap-5.1.6-7.el5.x86_64.rpm
eff06352104b02ccc24a85e68714a9e2  php-ldap-5.1.6-7.el5.x86_64.rpm
39592d7a4e4c48323ba426f48a56647d  php-mbstring-5.1.6-7.el5.x86_64.rpm
a5224c1cc1b10ebe5e4173e933ae5767  php-mysql-5.1.6-7.el5.x86_64.rpm
d3c8038ca9e8ac81aab049a2147b50b7  php-ncurses-5.1.6-7.el5.x86_64.rpm
67e7ee807842e2c6963b0fe558b8f311  php-odbc-5.1.6-7.el5.x86_64.rpm
c89b0119f58fd306ac673f338cc15b5f  php-pdo-5.1.6-7.el5.x86_64.rpm
55338806427f9d63e7400410ab563198  php-pgsql-5.1.6-7.el5.x86_64.rpm
b4c50e81b595e80ef9aa09f53c7c5eed  php-snmp-5.1.6-7.el5.x86_64.rpm
dd23b2ff36947c8bfe99e089837f664f  php-soap-5.1.6-7.el5.x86_64.rpm
71ea5f61663fd7e3d5c344eb7bfdce9a  php-xml-5.1.6-7.el5.x86_64.rpm
98ad623c7547160267c38608882c4109  php-xmlrpc-5.1.6-7.el5.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and 
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0906
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0907
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0908
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0909
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0988
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0910
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1285
http://www.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is .  More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2007 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFF+BaNXlSAg2UNWIIRAhxfAJ9ip8A1CTLUML/z4PpO+CXcZMU0tQCgrosR
pesgJ9SMJSFRFvqeJna4aPI=
=k5xl
-----END PGP SIGNATURE-----
Screenshot

Project Spotlight

Kigo Video Converter Ultimate for Mac

A tool for converting and editing videos.

Screenshot

Project Spotlight

Kid3

An efficient tagger for MP3, Ogg/Vorbis, and FLAC files.