USN-320-1: PHP vulnerabilities

19 July 2006

php4, php5 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 6.06 LTS
  • Ubuntu 5.10
  • Ubuntu 5.04

Software Description

Details

The phpinfo() PHP function did not properly sanitize long strings. A remote attacker could use this to perform cross-site scripting attacks against sites that have publicly-available PHP scripts that call phpinfo(). Please note that it is not recommended to publicly expose phpinfo(). (CVE-2006-0996)

An information disclosure has been reported in the html_entity_decode() function. A script which uses this function to process arbitrary user-supplied input could be exploited to expose a random part of memory, which could potentially reveal sensitive data. (CVE-2006-1490)

The wordwrap() function did not sufficiently check the validity of the ‘break’ argument. An attacker who could control the string passed to the ‘break’ parameter could cause a heap overflow; however, this should not happen in practical applications. (CVE-2006-1990)

The substr_compare() function did not sufficiently check the validity of the ‘offset’ argument. A script which passes untrusted user-defined values to this parameter could be exploited to crash the PHP interpreter. (CVE-2006-1991)

In certain situations, using unset() to delete a hash entry could cause the deletion of the wrong element, which would leave the specified variable defined. This could potentially cause information disclosure in security-relevant operations. (CVE-2006-3017)

In certain situations the session module attempted to close a data file twice, which led to memory corruption. This could potentially be exploited to crash the PHP interpreter, though that could not be verified. (CVE-2006-3018)

This update also fixes various bugs which allowed local scripts to bypass open_basedir and ‘safe mode’ restrictions by passing special arguments to tempnam() (CVE-2006-1494, CVE-2006-2660), copy() (CVE-2006-1608), the curl module (CVE-2006-2563), or error_log() (CVE-2006-3011).

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 6.06 LTS
libapache2-mod-php5 - 5.1.2-1ubuntu3.1
php5-cgi - 5.1.2-1ubuntu3.1
php5-cli - 5.1.2-1ubuntu3.1
php5-curl - 5.1.2-1ubuntu3.1
Ubuntu 5.10
libapache2-mod-php5 - 5.0.5-2ubuntu1.3
php5-cgi - 5.0.5-2ubuntu1.3
php5-cli - 5.0.5-2ubuntu1.3
php5-curl - 5.0.5-2ubuntu1.3
Ubuntu 5.04
libapache2-mod-php4 - 4:4.3.10-10ubuntu4.5
php4-cgi - 4:4.3.10-10ubuntu4.5
php4-cli - 4:4.3.10-10ubuntu4.5

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system upgrade is sufficient to effect the necessary changes.

References