SB2011011802 - Multiple vulnerabilities in PHP

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Race condition (CVE-ID: CVE-2011-0753)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

Race condition in the PCNTL extension in PHP before 5.3.4, when a user-defined signal handler exists, might allow context-dependent attackers to cause a denial of service (memory corruption) via a large number of concurrent signals.

2) Input validation error (CVE-ID: CVE-2011-0755)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

Integer overflow in the mt_rand function in PHP before 5.3.4 might make it easier for context-dependent attackers to predict the return values by leveraging a script's use of a large max parameter, as demonstrated by a value that exceeds mt_getrandmax.

3) Input validation error (CVE-ID: CVE-2010-4699)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The iconv_mime_decode_headers function in the Iconv extension in PHP before 5.3.4 does not properly handle encodings that are unrecognized by the iconv and mbstring (aka Multibyte String) implementations, which allows remote attackers to trigger an incomplete output array, and possibly bypass spam detection or have unspecified other impact, via a crafted Subject header in an e-mail message, as demonstrated by the ks_c_5601-1987 character set.

4) Input validation error (CVE-ID: CVE-2006-7243)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

PHP before 5.3.4 accepts the character in a pathname, which might allow context-dependent attackers to bypass intended access restrictions by placing a safe file extension after this character, as demonstrated by .php.jpg at the end of the argument to the file_exists function.

Remediation

Install update from vendor's website.

References

• http://bugs.php.net/52784
• http://www.php.net/ChangeLog-5.php
• https://exchange.xforce.ibmcloud.com/vulnerabilities/65431
• https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12271
• http://bugs.php.net/46587
• https://exchange.xforce.ibmcloud.com/vulnerabilities/65426
• https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12589
• http://bugs.php.net/52941
• http://coding.derkeiler.com/Archive/PHP/php.general/2007-04/msg00605.html
• https://exchange.xforce.ibmcloud.com/vulnerabilities/64963
• https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12393
• http://bugs.php.net/39863
• http://lists.apple.com/archives/security-announce/2011/Mar/msg00006.html
• http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158616.html
• http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158915.html
• http://lists.fedoraproject.org/pipermail/package-announce/2015-May/159031.html
• http://marc.info/?l=bugtraq&m=132871655717248&w=2
• http://marc.info/?l=bugtraq&m=133469208622507&w=2
• http://openwall.com/lists/oss-security/2010/11/18/4
• http://openwall.com/lists/oss-security/2010/11/18/5
• http://openwall.com/lists/oss-security/2010/12/09/10
• http://openwall.com/lists/oss-security/2010/12/09/11
• http://openwall.com/lists/oss-security/2010/12/09/9
• http://rhn.redhat.com/errata/RHSA-2013-1307.html
• http://rhn.redhat.com/errata/RHSA-2013-1615.html
• http://rhn.redhat.com/errata/RHSA-2014-0311.html
• http://secunia.com/advisories/55078
• http://support.apple.com/kb/HT4581
• http://svn.php.net/viewvc?view=revision&revision=305412
• http://svn.php.net/viewvc?view=revision&revision=305507
• http://www.madirish.net/?article=436
• http://www.mandriva.com/security/advisories?name=MDVSA-2010:254
• http://www.php.net/archive/2010.php#id2010-12-10-1
• http://www.php.net/releases/5_3_4.php
• http://www.securityfocus.com/bid/44951
• https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12569