(PHP Issues Fix) Re: PHP Integer Overflow in socket_iovec_alloc() May Let Remote Users Execute Code in Certain Cases
|
|
SecurityTracker Alert ID: 1006887
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: May 30 2003
|
Impact: Denial of service via network, Execution of arbitrary code via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): prior to 4.3.2
|
Description: An integer overflow vulnerability was reported in PHP's socket support. A remote user may be able to cause an application that uses PHP socket communications to crash or execute arbitrary code.
Mordred Security Labs reported that when PHP is compiled with the '--enable-sockets' option, a remote user may be able to trigger
an integer overflow in the socket_iovec_alloc() function. This option is not a default option, according to the advisory.
A
demonstration exploit script is provided:
$ cat t.php
<?php
socket_iovec_alloc(0x20000000);
?>
|
Impact: The specific impact depends on the application that uses the PHP socket extensions. A remote user may be able to cause the affected application to crash or potentially execute arbitrary code.
|
Solution: The vendor has issued a fixed version (4.3.2) that fixes multiple "potentially hazardous" integer and buffer overflows (others in
addition to the socket_iovec_alloc() integer overflow reported in this alert), available at:
http://www.php.net/downloads.php
|
Vendor URL: www.php.net/ (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: Windows (Any), Linux (Any), UNIX (Any)
|
Underlying OS Comments: Tested on Linux 2.4 with Apache 1.3.27 / PHP 4.3.1
|
Reported By: je@sekure.net
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Thu, 29 May 2003 15:32:10 +0200 (CEST)
From: je@sekure.net
Subject: New php release with security fixes
|
See below,
/jonas
---------- Forwarded message ----------
Date: Thu, 29 May 2003 15:05:24 +0300 (EEST)
From: Jani Taskinen <sniper@php.net>
Reply-To: Jani Taskinen <sniper@iki.fi>
To: php-announce@lists.php.net
Cc: php-general@lists.php.net
Subject: [ANNOUNCE] PHP 4.3.2 released
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
After a lengthy QA process, PHP 4.3.2 is finally out! This maintenance
release solves a lot of bugs found in earlier PHP versions and is a
*strongly* recommended upgrade for all PHP users.
PHP 4.3.2 contains, among others, following important fixes, additions and
improvements:
* Fixes several potentially hazardous integer and buffer overflows.
* Fixes for several 64-bit problems.
* New Apache 2.0 SAPI module (sapi/apache2handler, enabled with --with-apxs2).
* New session_regenerate_id() function.
(Important feature against malicious session planting).
* Improvements to dba extension.
* Improvements to thttpd SAPI module.
* Dropped support for GDLIB version 1.x.x (php_gd.dll) on Windows.
* An unix man page for CLI version of PHP.
* New "disable_classes" php.ini option to allow administrators to disable
certain classes for security reasons.
* ..and huge amount other bug fixes
For a full list of changes in PHP 4.3.2, see the NEWS file.
(http://www.php.net/ChangeLog-4.php).
md5sums:
8aec1bb2dbcca1c92835c71e2e30d9c5 *php-4.3.2.tar.bz2
8433a1d0ce679780990d4813ae094590 *php-4.3.2.tar.gz
e1afea6341d97e8160bd7d93712721ec *php-4.3.2-Win32.zip
cb55d0d9df6a2bf4ba666c27886d12cb *php-4.3.2-installer.exe
kippis,
Jani Taskinen
sniper@php.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE+1feO/HlsOzK2WlERAuExAKDYgdy/qCRur4YPdoPGrxfFqWxxmgCfdnal
DtTNv9vmVAUDRh2LjM0lUH0=
=GHti
-----END PGP SIGNATURE-----
--
PHP Announcements Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
|
|
