USN-320-1: PHP vulnerabilities

Ubuntu Security Notice USN-320-1

19th July, 2006

php4, php5 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 6.06 LTS
  • Ubuntu 5.10
  • Ubuntu 5.04

Details

The phpinfo() PHP function did not properly sanitize long strings. A
remote attacker could use this to perform cross-site scripting attacks
against sites that have publicly-available PHP scripts that call
phpinfo(). Please note that it is not recommended to publicly expose
phpinfo(). (CVE-2006-0996)

An information disclosure has been reported in the
html_entity_decode() function. A script which uses this function to
process arbitrary user-supplied input could be exploited to expose a
random part of memory, which could potentially reveal sensitive data.
(CVE-2006-1490)

The wordwrap() function did not sufficiently check the validity of the
'break' argument. An attacker who could control the string passed to
the 'break' parameter could cause a heap overflow; however, this
should not happen in practical applications. (CVE-2006-1990)

The substr_compare() function did not sufficiently check the validity
of the 'offset' argument. A script which passes untrusted user-defined
values to this parameter could be exploited to crash the PHP
interpreter. (CVE-2006-1991)

In certain situations, using unset() to delete a hash entry could
cause the deletion of the wrong element, which would leave the
specified variable defined. This could potentially cause information
disclosure in security-relevant operations. (CVE-2006-3017)

In certain situations the session module attempted to close a data
file twice, which led to memory corruption. This could potentially be
exploited to crash the PHP interpreter, though that could not be
verified. (CVE-2006-3018)

This update also fixes various bugs which allowed local scripts
to bypass open_basedir and 'safe mode' restrictions by passing special
arguments to tempnam() (CVE-2006-1494, CVE-2006-2660), copy()
(CVE-2006-1608), the curl module (CVE-2006-2563), or error_log()
(CVE-2006-3011).

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 6.06 LTS:
php5-cli 5.1.2-1ubuntu3.1
php5-cgi 5.1.2-1ubuntu3.1
libapache2-mod-php5 5.1.2-1ubuntu3.1
php5-curl 5.1.2-1ubuntu3.1
Ubuntu 5.10:
php5-cli 5.0.5-2ubuntu1.3
php5-cgi 5.0.5-2ubuntu1.3
libapache2-mod-php5 5.0.5-2ubuntu1.3
php5-curl 5.0.5-2ubuntu1.3
Ubuntu 5.04:
libapache2-mod-php4 4:4.3.10-10ubuntu4.5
php4-cgi 4:4.3.10-10ubuntu4.5
php4-cli 4:4.3.10-10ubuntu4.5

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system upgrade is sufficient to effect the
necessary changes.

References

CVE-2006-0996, CVE-2006-1490, CVE-2006-1494, CVE-2006-1608, CVE-2006-1990, CVE-2006-1991, CVE-2006-2563, CVE-2006-2660, CVE-2006-3011, CVE-2006-3016, CVE-2006-3018