From martin.pitt@canonical.com Thu Jan 20 12:55:03 2005 From: Martin Pitt To: ubuntu-security-announce@lists.ubuntu.com Cc: bugtraq@securityfocus.com, full-disclosure@lists.netsys.com Date: Thu, 20 Jan 2005 18:29:42 +0100 Subject: [Full-Disclosure] [USN-66-1] PHP vulnerabilities =========================================================== Ubuntu Security Notice USN-66-1 January 20, 2005 php4 vulnerabilities http://www.securitytracker.com/alerts/2004/Oct/1011984.html http://www.securityfocus.com/archive/1/384920 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) The following packages are affected: libapache2-mod-php4 php4-cgi php4-curl The problem can be corrected by upgrading the affected package to version 4:4.3.8-3ubuntu7.3. In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: FraMe from kernelpanik.org reported that the cURL module does not respect open_basedir restrictions. As a result, scripts which used cURL to open files with an user-specified path could read arbitrary local files outside of the open_basedir directory. Stefano Di Paola discovered a vulnerability in PHP's shmop_write() function. Its "offset" parameter was not checked for negative values, which allowed an attacker to write arbitrary data to arbitrary memory locations. A script which passed unchecked parameters to shmop_write() could possibly be exploited to execute arbitrary code with the privileges of the web server and to bypass safe mode restrictions. Source archives: http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4_4.3.8-3ubuntu7.3.diff.gz Size/MD5: 610960 fe787f903688a67343f674ee02bd00b1 http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4_4.3.8-3ubuntu7.3.dsc Size/MD5: 1624 2ca8c4097c0f65a302340ebd3679e6c8 http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4_4.3.8.orig.tar.gz Size/MD5: 4832570 dd69f8c89281f088eadf4ade3dbd39ee Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4-dev_4.3.8-3ubuntu7.3_all.deb Size/MD5: 331490 e003d55ed3e4b213b179ec30facfe0f3 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-pear_4.3.8-3ubuntu7.3_all.deb Size/MD5: 332580 19eea2d0d5618bfd85a39efef1b812e6 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/p/php4/libapache2-mod-php4_4.3.8-3ubuntu7.3_amd64.deb Size/MD5: 1687328 f5e26310e00095ebcc54b0b20b8716c2 http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4-cgi_4.3.8-3ubuntu7.3_amd64.deb Size/MD5: 3195630 456d6f35fa09b258e7d0da34d6bf9b28 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-curl_4.3.8-3ubuntu7.3_amd64.deb Size/MD5: 17080 c52586ddbb105f17ce5ebf6cf87bd592 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-domxml_4.3.8-3ubuntu7.3_amd64.deb Size/MD5: 40422 fe6fe77c231075a2a667e613cbcd5c99 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-gd_4.3.8-3ubuntu7.3_amd64.deb Size/MD5: 33492 07ecfe487a4b1f1ea768483252fbda37 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-ldap_4.3.8-3ubuntu7.3_amd64.deb Size/MD5: 21226 484861d9f894b57d1f8e2a37e7449041 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-mcal_4.3.8-3ubuntu7.3_amd64.deb Size/MD5: 18406 7de19aade4ffa2f9ba2b424736b6d168 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-mhash_4.3.8-3ubuntu7.3_amd64.deb Size/MD5: 7988 42b5eee875348b468b8ca21baa4c5164 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-mysql_4.3.8-3ubuntu7.3_amd64.deb Size/MD5: 23106 fe4f90839fed4a12e2b398b3f563a3d9 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-odbc_4.3.8-3ubuntu7.3_amd64.deb Size/MD5: 28318 7ec809b18ce7e231def1f6e499259f76 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-recode_4.3.8-3ubuntu7.3_amd64.deb Size/MD5: 7608 95ec04d122f22eebce82a817ee89e669 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-snmp_4.3.8-3ubuntu7.3_amd64.deb Size/MD5: 12966 a55b05cffdaf5cd67cb060c9a2a1df06 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-sybase_4.3.8-3ubuntu7.3_amd64.deb Size/MD5: 21494 c4b5a4561645ca55f5ef506ce2dea114 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-xslt_4.3.8-3ubuntu7.3_amd64.deb Size/MD5: 17242 f2c0f1ab1734c38fdb749d72182bcc06 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4_4.3.8-3ubuntu7.3_amd64.deb Size/MD5: 1703362 897ffad665ac90da2b51f481c13bc9d5 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/p/php4/libapache2-mod-php4_4.3.8-3ubuntu7.3_i386.deb Size/MD5: 1629742 372b8436c25bce61a1921390a48c7e00 http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4-cgi_4.3.8-3ubuntu7.3_i386.deb Size/MD5: 3042580 8dcd4d214491386e7831ad50c22b53b9 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-curl_4.3.8-3ubuntu7.3_i386.deb Size/MD5: 16642 2bfe89f3e1f39e34c6755108f522dd23 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-domxml_4.3.8-3ubuntu7.3_i386.deb Size/MD5: 35560 8a4738c2c6e3f38ee09a8344d33803bf http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-gd_4.3.8-3ubuntu7.3_i386.deb Size/MD5: 31072 89b90051a0dccd3df1d40173f7e1c2e2 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-ldap_4.3.8-3ubuntu7.3_i386.deb Size/MD5: 19470 089aca8ac64f2f60916b8ac732859a90 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-mcal_4.3.8-3ubuntu7.3_i386.deb Size/MD5: 17050 f34eff3de956e0f7bd9493125428fedc http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-mhash_4.3.8-3ubuntu7.3_i386.deb Size/MD5: 7740 f9ee71c58949fe011afc3bd1189be744 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-mysql_4.3.8-3ubuntu7.3_i386.deb Size/MD5: 20904 7e6eb75d915e88c8cafa63c905571f02 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-odbc_4.3.8-3ubuntu7.3_i386.deb Size/MD5: 26064 0579e7944930fe37aea736ea64539fa9 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-recode_4.3.8-3ubuntu7.3_i386.deb Size/MD5: 7372 061ecb634528d74f51bc552dd293704c http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-snmp_4.3.8-3ubuntu7.3_i386.deb Size/MD5: 12320 24cfade7758174be7982d5e7b91f1228 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-sybase_4.3.8-3ubuntu7.3_i386.deb Size/MD5: 20012 449ab9d816a60fcf0e88e2e53cda7012 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-xslt_4.3.8-3ubuntu7.3_i386.deb Size/MD5: 15876 71b352df04640ced953b82991ad5e5cb http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4_4.3.8-3ubuntu7.3_i386.deb Size/MD5: 1644196 4c1d7fc89fcc3631fb1595316bbbf671 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/p/php4/libapache2-mod-php4_4.3.8-3ubuntu7.3_powerpc.deb Size/MD5: 1689540 c88fded38c3c929636bbf7fc00e59e3a http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4-cgi_4.3.8-3ubuntu7.3_powerpc.deb Size/MD5: 3202338 5074ee6d65bac1f1ffca4b8beabd0342 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-curl_4.3.8-3ubuntu7.3_powerpc.deb Size/MD5: 18924 ef2f905749274b9313dbbafd76cc59be http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-domxml_4.3.8-3ubuntu7.3_powerpc.deb Size/MD5: 38276 7de47a9bbba3e6b1a9f67b488414fbe8 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-gd_4.3.8-3ubuntu7.3_powerpc.deb Size/MD5: 34006 c16dd35aa2361d785f7d51c39dc7f392 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-ldap_4.3.8-3ubuntu7.3_powerpc.deb Size/MD5: 21468 b7d2ed10648d505eded2aa15a2614acb http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-mcal_4.3.8-3ubuntu7.3_powerpc.deb Size/MD5: 19308 45846194a0f7c1b73049837004fda130 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-mhash_4.3.8-3ubuntu7.3_powerpc.deb Size/MD5: 9304 9006a8318f3aefc71edad02361e1d147 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-mysql_4.3.8-3ubuntu7.3_powerpc.deb Size/MD5: 22678 a3b089b21831be6cf71387cc379bb0ef http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-odbc_4.3.8-3ubuntu7.3_powerpc.deb Size/MD5: 28402 61fa92e166879961b767a947fd4deadc http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-recode_4.3.8-3ubuntu7.3_powerpc.deb Size/MD5: 9000 f6ac1c2f65a68c6353b894a8e6b33288 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-snmp_4.3.8-3ubuntu7.3_powerpc.deb Size/MD5: 14322 adb29a3234450616f09d36bc070d7fbb http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-sybase_4.3.8-3ubuntu7.3_powerpc.deb Size/MD5: 22190 a63a95e1e486a649d9c398eb048615a7 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-xslt_4.3.8-3ubuntu7.3_powerpc.deb Size/MD5: 18058 dac4907075ca5cd0450ce58483c32994 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4_4.3.8-3ubuntu7.3_powerpc.deb Size/MD5: 1707200 53f7d5974d1480a238fc03bb086b0945 [ Part 1.2, "Digital signature" Application/PGP-SIGNATURE ] [ 196bytes. ] [ Unable to print this part. ] [ Part 2: "Attached Text" ] _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html