__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN PHP Security Update [Red Hat RHSA-2006:0567-7] July 25, 2006 20:00 GMT Number Q-257 ______________________________________________________________________________ PROBLEM: A directory traversal vulnerability was found in PHP. PLATFORM: Red Hat Enterprise Linux AS, ES, WS (v. 2.1) Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor DAMAGE: Local users could bypass open_basedir restrictions allowing remote attackers to create files in arbitrary directories via the tempnam() function. SOLUTION: Upgrade to the appropriate version. ______________________________________________________________________________ VULNERABILITY The risk is LOW. Local users could bypass open_basedir ASSESSMENT: restrictions allowing remote attackers to create files in arbitrary directories via the tempnam() function. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/q-257.shtml ORIGINAL BULLETIN: Red Hat RHSA-2006:0567-7 https://rhn.redhat.com/errata/RHSA-2006-0567.html CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2006-1494 ______________________________________________________________________________ [***** Start Red Hat RHSA-2006:0567-7 *****] Moderate: php security update Advisory: RHSA-2006:0567-7 Type: Security Advisory Issued on: 2006-07-25 Last updated on: 2006-07-25 Affected Products: Red Hat Enterprise Linux AS (v. 2.1) Red Hat Enterprise Linux ES (v. 2.1) Red Hat Enterprise Linux WS (v. 2.1) Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor CVEs (cve.mitre.org): CVE-2002-2214 CVE-2006-1494 CVE-2006-3017 Details Updated PHP packages that fix multiple security issues are now available for Red Hat Enterprise Linux 2.1 This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A flaw was found in the zend_hash_del() PHP function. For PHP scripts that rely on the use of the unset() function, a remote attacker could force variable initialization to be bypassed. This would be a security issue particularly for installations that enable the "register_globals" setting. "register_globals" is disabled by default in Red Hat Enterprise Linux. (CVE-2006-3017) A directory traversal vulnerability was found in PHP. Local users could bypass open_basedir restrictions allowing remote attackers to create files in arbitrary directories via the tempnam() function. (CVE-2006-1494) A flaw was found in the PHP IMAP MIME header decoding function. An attacker could craft a message with an overly long header which caused PHP to crash. (CVE-2002-2214) Users of PHP should upgrade to these updated packages, which contain backported patches that resolve these issues. Solution Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via Red Hat Network. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. Updated packages Red Hat Enterprise Linux AS (v. 2.1) -------------------------------------------------------------------------------- SRPMS: php-4.1.2-2.8.src.rpm b00da9890a6407ceeefde6af712335a8 IA-32: php-4.1.2-2.8.i386.rpm 49c5170d0254ab6852ed1a0ec99ee005 php-devel-4.1.2-2.8.i386.rpm fbbf8ecb1d8212fb61ab03cb582fa6ba php-imap-4.1.2-2.8.i386.rpm a8cc27adc804ac40f5530f5bc305209b php-ldap-4.1.2-2.8.i386.rpm 2b9e509db230478986a620bccf3c3595 php-manual-4.1.2-2.8.i386.rpm 296c22cd73b830fc0455a3cc00b38858 php-mysql-4.1.2-2.8.i386.rpm a083c9ad5a0aef8c528abb1123bb88aa php-odbc-4.1.2-2.8.i386.rpm 7df60aec5a0b642ea6e8fcb8ae4e0bc4 php-pgsql-4.1.2-2.8.i386.rpm bdbfcb35354ad079d4a15a4054f2caf8 IA-64: php-4.1.2-2.8.ia64.rpm 0de57ca1d1f8ad29f509288a9c67f501 php-devel-4.1.2-2.8.ia64.rpm b386f3eacea485b36525055006fa89c5 php-imap-4.1.2-2.8.ia64.rpm 91b7f7262828ad5c9f17d8e1e02bd9e1 php-ldap-4.1.2-2.8.ia64.rpm bb5d71d5964ed4e3ebaba5c1e755599c php-manual-4.1.2-2.8.ia64.rpm 2d1d721016880e26c041d36af289288f php-mysql-4.1.2-2.8.ia64.rpm 74de741c6420b49591eb82e8d3109286 php-odbc-4.1.2-2.8.ia64.rpm ac98627c368011e8bc123fab619131fa php-pgsql-4.1.2-2.8.ia64.rpm 101f908d73b7182821a6ca553df4c3f5 Red Hat Enterprise Linux ES (v. 2.1) -------------------------------------------------------------------------------- SRPMS: php-4.1.2-2.8.src.rpm b00da9890a6407ceeefde6af712335a8 IA-32: php-4.1.2-2.8.i386.rpm 49c5170d0254ab6852ed1a0ec99ee005 php-devel-4.1.2-2.8.i386.rpm fbbf8ecb1d8212fb61ab03cb582fa6ba php-imap-4.1.2-2.8.i386.rpm a8cc27adc804ac40f5530f5bc305209b php-ldap-4.1.2-2.8.i386.rpm 2b9e509db230478986a620bccf3c3595 php-manual-4.1.2-2.8.i386.rpm 296c22cd73b830fc0455a3cc00b38858 php-mysql-4.1.2-2.8.i386.rpm a083c9ad5a0aef8c528abb1123bb88aa php-odbc-4.1.2-2.8.i386.rpm 7df60aec5a0b642ea6e8fcb8ae4e0bc4 php-pgsql-4.1.2-2.8.i386.rpm bdbfcb35354ad079d4a15a4054f2caf8 Red Hat Enterprise Linux WS (v. 2.1) -------------------------------------------------------------------------------- SRPMS: php-4.1.2-2.8.src.rpm b00da9890a6407ceeefde6af712335a8 IA-32: php-4.1.2-2.8.i386.rpm 49c5170d0254ab6852ed1a0ec99ee005 php-devel-4.1.2-2.8.i386.rpm fbbf8ecb1d8212fb61ab03cb582fa6ba php-imap-4.1.2-2.8.i386.rpm a8cc27adc804ac40f5530f5bc305209b php-ldap-4.1.2-2.8.i386.rpm 2b9e509db230478986a620bccf3c3595 php-manual-4.1.2-2.8.i386.rpm 296c22cd73b830fc0455a3cc00b38858 php-mysql-4.1.2-2.8.i386.rpm a083c9ad5a0aef8c528abb1123bb88aa php-odbc-4.1.2-2.8.i386.rpm 7df60aec5a0b642ea6e8fcb8ae4e0bc4 php-pgsql-4.1.2-2.8.i386.rpm bdbfcb35354ad079d4a15a4054f2caf8 Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor -------------------------------------------------------------------------------- SRPMS: php-4.1.2-2.8.src.rpm b00da9890a6407ceeefde6af712335a8 IA-64: php-4.1.2-2.8.ia64.rpm 0de57ca1d1f8ad29f509288a9c67f501 php-devel-4.1.2-2.8.ia64.rpm b386f3eacea485b36525055006fa89c5 php-imap-4.1.2-2.8.ia64.rpm 91b7f7262828ad5c9f17d8e1e02bd9e1 php-ldap-4.1.2-2.8.ia64.rpm bb5d71d5964ed4e3ebaba5c1e755599c php-manual-4.1.2-2.8.ia64.rpm 2d1d721016880e26c041d36af289288f php-mysql-4.1.2-2.8.ia64.rpm 74de741c6420b49591eb82e8d3109286 php-odbc-4.1.2-2.8.ia64.rpm ac98627c368011e8bc123fab619131fa php-pgsql-4.1.2-2.8.ia64.rpm 101f908d73b7182821a6ca553df4c3f5 (The unlinked packages above are only available from the Red Hat Network) Bugs fixed (see bugzilla for more information) 195495 - CVE-2002-2214 php imap To header buffer overflow 196257 - CVE-2006-3017 zend_hash_del bug 197050 - CVE-2006-1494 PHP tempname open_basedir issue References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2214 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1494 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3017 http://www.php.net/register_globals http://www.redhat.com/security/updates/classification/#moderate -------------------------------------------------------------------------------- These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from: https://www.redhat.com/security/team/key/#package The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/ [***** End Red Hat RHSA-2006:0567-7 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) Q-247: vixie-cron Security Update Q-248: kernel-source-2.6.8 et.al. Q-249: Vulnerability in PowerPoint Q-250: Multiple Vulnerabilities in Cisco Security Monitoring, Analysis and Response System (CS-MARS) Q-251: Oracle Critical Patch Update - July 2006 Q-252: libwmf Security Update Q-253: gimp Security Update Q-254: SeaMonkey Security Update (was Mozilla) Q-255: OpenSSH Security Update Q-256: Adobe Acrobat Buffer Overflow Vulnerability