'Re: [oss-security] CVE request: php 5.3.1 - proc_open() bypass PHP'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE request: php 5.3.1 -  proc_open() bypass PHP
From:       Josh Bressers <bressers () redhat ! com>
Date:       2009-11-23 20:49:28
Message-ID: 499213538.605701259009368603.JavaMail.root () zmail01 ! collab ! prod ! int ! phx2 ! redhat ! com
[Download RAW message or body]

CVE-2009-4018

PHP before 5.3.1 proc_open() can be used to bypass the
safe_mode_protected_env_vars INI setting. This could be used to alter the
process environment possibly executing arbitrary code.

http://www.php.net/ChangeLog-5.php#5.3.1
http://bugs.php.net/bug.php?id=49026
http://marc.info/?l=oss-security&m=125897935330618&w=2

Thanks.

-- 
    JB

----- "Jan Lieskovsky" <jlieskov@redhat.com> wrote:

> Hi Brian,
> 
> security curmudgeon wrote:
> > On Fri, 20 Nov 2009, Thomas Biege wrote:
> > 
> > : PHP was updated to version 5.3.1 and did also address security
> > : issues: http://www.php.net/releases/5_3_1.php
> > : 
> > : Security Enhancements and Fixes in PHP 5.3.1:
> > : 
> > :     * Added "max_file_uploads" INI directive, which can be set to
> limit the number of file uploads per-request to 20 by default, to
> prevent possible DOS via temporary file exhaustion.
> > :     * Added missing sanity checks around exif processing.
> > 
> > This was previously disclosed and fixed in the 5.2.x tree. I believe
> this 
> > is the same as CVE-2009-3292.
> > 
> > :     * Fixed a safe_mode bypass in tempnam().
> > :     * Fixed a open_basedir bypass in posix_mkfifo().
> > :     * Fixed bug #50063 (safe_mode_include_dir fails).
> > :     * Fixed bug #44683 (popen crashes when an invalid mode is
> passed).
> > 
> > Also not flagged as 'security' up top, but from the changelog:
> > 
> > Fixed bug #49026 (proc_open() can bypass
> safe_mode_protected_env_vars 
> > restrictions). (Ilia)
> 
>    Thank you for pointing this out.
> 
>    Yes, further look into particular php bugzilla returns:
> 
>      "Environment variables specified for proc_open passed without
> check so
>       safe_mode_allowed_env_vars and safe_mode_protected_env_vars
> settings are
>       ignored. So it become possible to use buffer overflow exploit
> with
>       "LD_PRELOAD=evil_library.so" to bypass safe_mode restrictions
> and get
>       access to any files acessible for apache uid."
> 
>    So looks another CVE id is needed here. Changed subject to:
>    "CVE request: php 5.3.1 - proc_open() bypass PHP Bug #49026"
> 
>    Could we get another CVE id for this case?
> 
> Thanks && Regards, Jan.
> --
> Jan iankko Lieskovsky / Red Hat Security Response Team
> 
> > 
> > Brian

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic