-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory OpenPKG GmbH http://www.openpkg.org/security/ http://openpkg.com OpenPKG-SA-2006.023 2006-10-17 ________________________________________________________________________ Package: php Vulnerability: privilege escalation, arbitrary code execution OpenPKG Specific: no Affected Series: Affected Packages: Corrected Packages: 1.0-ENTERPRISE N.A. >= php-5.1.6-E1.0.0 2-STABLE-20061018 N.A. >= php-5.1.6-2.20061018 2-STABLE <= php-5.1.5-2.20060818 >= php-5.1.6-2.20061018 CURRENT <= php-5.1.6-20061013 >= php-5.1.6-20061017 Description: According to a security advisory [1] from Maksymilian Arciemowicz, a vulnerability exists in the programming language PHP [0] which allows local users to bypass certain Apache HTTP server "httpd.conf" options, such as "safe_mode" and "open_basedir", via the "ini_restore" function, which resets the values to their "php.ini" (master value) defaults. The Common Vulnerabilities and Exposures (CVE) project assigned the id CVE-2006-4625 [2] to the problem. According to a security advisory [3] from the Hardened-PHP project, an integer overflow bug exists in the programming language PHP [0] which allows remote attackers to execute arbitrary code via an argument to the "unserialize" PHP function with a large value for the number of array elements, which triggers the overflow in the underlying Zend Engine "ecalloc" function. The Common Vulnerabilities and Exposures (CVE) project assigned the id CVE-2006-4812 [4] to the problem. According to a security advisory [5] from the Hardened-PHP project, a race condition in the "symlink" function of the programming language PHP [0] exists which allows local users to bypass the "open_basedir" restriction by using a combination of "symlink", "mkdir", and "unlink" functions to change the file path after the "open_basedir" check and before the file is opened by the underlying system, as demonstrated by symlinking a symlink into a subdirectory, to point to a parent directory via ".." sequences, and then unlinking the resulting symlink. The Common Vulnerabilities and Exposures (CVE) project assigned the id CVE-2006-5178 [6] to the problem. ________________________________________________________________________ References: [0] http://www.php.net/ [1] http://securityreason.com/achievement_securityalert/42 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4625 [3] http://www.hardened-php.net/advisory_092006.133.html [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4812 [5] http://www.hardened-php.net/advisory_082006.132.html [6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5178 ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) which you can retrieve from http://www.openpkg.org/openpkg.pgp. Follow the instructions on http://www.openpkg.org/security/signatures/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFFNIGdgHWT4GPEy58RAtVBAJoCX3irrZamtyw2iB6kr0prNfJK8wCg7/bo S+LNuXuT19oMnAmzUXudLkc= =RAhf -----END PGP SIGNATURE-----