PHP Shared Libraries on Slackware Linux May Let Local Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1010368
|
|
SecurityTracker URL: http://securitytracker.com/id?1010368
|
|
CVE Reference: CAN-2004-0530
(Links to External Site)
|
Updated: Jun 8 2004
|
Original Entry Date: Jun 2 2004
|
Impact: Denial of service via local system, Execution of arbitrary code via local system, User access via local system
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): prior to 4.3.6
|
Description: A vulnerability was reported in PHP on Slackware Linux. A local user may be able to cause PHP to crash or to execute arbitrary code.
Slackware reported that in Slackware php packages when PHP is linked against a static library in an insecure path (e.g., '/tmp'),
a local user can place malicious shared libraries in the insecure path location. Then, when PHP is compiled, the shared libraries
will be built into the PHP binaries. As a result, PHP may crash or execute arbitrary code with the privileges of the user running
PHP.
Slackware credits Bryce Nichols with reporting this flaw.
|
Impact: A local user can cause PHP to crash or execute arbitrary code. The arbitrary code will be executed with the privileges of the user running PHP.
|
Solution: Slackware has issued a fix.
Updated package for Slackware 8.1:
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/php-4.3.6-i386-1.tgz
Updated
package for Slackware 9.0:
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/php-4.3.6-i386-1.tgz
Updated
package for Slackware 9.1:
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/php-4.3.6-i486-1.tgz
Updated
package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/php-4.3.6-i486-4.tgz
The
MD5 signatures are:
Slackware 8.1 package:
cee32e839211a37b0081615b4112b87f php-4.3.6-i386-1.tgz
Slackware 9.0 package:
eaa0c69981f0aa8cc6b2d4ef0269481c
php-4.3.6-i386-1.tgz
Slackware 9.1 package:
007c48e42d292819b6cdc66e2e8334e0 php-4.3.6-i486-1.tgz
Slackware -current package:
07bcba5e37538f16941141c43006cec1
php-4.3.6-i486-4.tgz
|
Vendor URL: www.php.net/ (Links to External Site)
|
Cause: Configuration error
|
Underlying OS: Linux (Slackware)
|
Underlying OS Comments: Slackware 8.1, 9.0, 9.1, and -current
|
Reported By: Slackware Security Team <security@slackware.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 2 Jun 2004 12:27:49 -0700 (PDT)
From: Slackware Security Team <security@slackware.com>
Subject: [slackware-security] PHP local security issue (SSA:2004-154-02)
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[slackware-security] PHP local security issue (SSA:2004-154-02)
New PHP packages are available for Slackware 8.1, 9.0, 9.1, and -current
to fix a security issue. These fix a problem in previous Slackware php
packages where linking PHP against a static library in an insecure path
(under /tmp) could allow a local attacker to place shared libraries at
this location causing PHP to crash, or to execute arbitrary code as the
PHP user (which is by default, "nobody").
Thanks to Bryce Nichols for researching and reporting this issue.
Here are the details from the Slackware 9.1 ChangeLog:
+--------------------------+
Wed Jun 2 11:28:17 PDT 2004
patches/packages/php-4.3.6-i486-1.tgz: Upgraded to php-4.3.6. This is
compiled with c-client.a in /usr/local/lib/c-client/ to fix a problem in
previous php packages where linking against the library in a path under
/tmp caused an ELF rpath to this location to be built into the PHP binaries.
A local attacker could (by placing shared libraries in this location) either
crash PHP or cause arbitrary code to be executed as the PHP user (typically
"nobody"). Thanks to Bryce Nichols for discovering this issue and bringing
it to my attention.
(* Security fix *)
+--------------------------+
Where to find the new packages:
+-----------------------------+
Updated package for Slackware 8.1:
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/php-4.3.6-i386-1.tgz
Updated package for Slackware 9.0:
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/php-4.3.6-i386-1.tgz
Updated package for Slackware 9.1:
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/php-4.3.6-i486-1.tgz
Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/php-4.3.6-i486-4.tgz
MD5 signatures:
+-------------+
Slackware 8.1 package:
cee32e839211a37b0081615b4112b87f php-4.3.6-i386-1.tgz
Slackware 9.0 package:
eaa0c69981f0aa8cc6b2d4ef0269481c php-4.3.6-i386-1.tgz
Slackware 9.1 package:
007c48e42d292819b6cdc66e2e8334e0 php-4.3.6-i486-1.tgz
Slackware -current package:
07bcba5e37538f16941141c43006cec1 php-4.3.6-i486-4.tgz
Installation instructions:
+------------------------+
First, stop apache:
# apachectl stop
Next, upgrade the PHP package as root:
# upgradepkg php-4.3.6-i486-1.tgz
Finally, restart apache:
# apachectl start
Or, if you're running a secure server with mod_ssl:
# apachectl startssl
+-----+
Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com
+------------------------------------------------------------------------+
| To leave the slackware-security mailing list: |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message: |
| |
| unsubscribe slackware-security |
| |
| You will get a confirmation message back containing instructions to |
| complete the process. Please do not reply to this email address. |
+------------------------------------------------------------------------+
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD4DBQFAviEfakRjwEAQIjMRAnQFAJjeripyyLT6gfCyFXKR8dtf2qKlAJ95aMTj
aO+Ndr66moKUN3sX3qkFXA==
=D3Mj
-----END PGP SIGNATURE-----
|
|
