=========================================================== Ubuntu Security Notice USN-549-2 December 03, 2007 php5 regression https://launchpad.net/bugs/173043 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 7.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 7.10: libapache2-mod-php5 5.2.3-1ubuntu6.2 php5-cgi 5.2.3-1ubuntu6.2 php5-cli 5.2.3-1ubuntu6.2 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: USN-549-1 fixed vulnerabilities in PHP. However, some upstream changes were incomplete, which caused crashes in certain situations with Ubuntu 7.10. This update fixes the problem. We apologize for the inconvenience. Original advisory details: It was discovered that the wordwrap function did not correctly check lengths. Remote attackers could exploit this to cause a crash or monopolize CPU resources, resulting in a denial of service. (CVE-2007-3998) Integer overflows were discovered in the strspn and strcspn functions. Attackers could exploit this to read arbitrary areas of memory, possibly gaining access to sensitive information. (CVE-2007-4657) Stanislav Malyshev discovered that money_format function did not correctly handle certain tokens. If a PHP application were tricked into processing a bad format string, a remote attacker could execute arbitrary code with application privileges. (CVE-2007-4658) It was discovered that the php_openssl_make_REQ function did not correctly check buffer lengths. A remote attacker could send a specially crafted message and execute arbitrary code with application privileges. (CVE-2007-4662) It was discovered that certain characters in session cookies were not handled correctly. A remote attacker could injection values which could lead to altered application behavior, potentially gaining additional privileges. (CVE-2007-3799) Gerhard Wagner discovered that the chunk_split function did not correctly handle long strings. A remote attacker could exploit this to execute arbitrary code with application privileges. (CVE-2007-2872, CVE-2007-4660, CVE-2007-4661) Stefan Esser discovered that deeply nested arrays could be made to fill stack space. A remote attacker could exploit this to cause a crash or monopolize CPU resources, resulting in a denial of service. (CVE-2007-1285, CVE-2007-4670) Rasmus Lerdorf discovered that the htmlentities and htmlspecialchars functions did not correctly stop when handling partial multibyte sequences. A remote attacker could exploit this to read certain areas of memory, possibly gaining access to sensitive information. (CVE-2007-5898) It was discovered that the output_add_rewrite_var fucntion would sometimes leak session id information to forms targeting remote URLs. Malicious remote sites could use this information to gain access to a PHP application user's login credentials. (CVE-2007-5899) Updated packages for Ubuntu 7.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5_5.2.3-1ubuntu6.2.diff.gz Size/MD5: 126545 02fbb9e80b615dc9a718d60c9367538a http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5_5.2.3-1ubuntu6.2.dsc Size/MD5: 1921 d8aec3af9962e69e67bc7ae6bfa31537 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5_5.2.3.orig.tar.gz Size/MD5: 9341653 df79b04d63fc4c1ccb6d8ea58a9cf3ac Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/p/php5/php-pear_5.2.3-1ubuntu6.2_all.deb Size/MD5: 351400 62ead0de4a2ea48ca87be08b0448f5ab http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5_5.2.3-1ubuntu6.2_all.deb Size/MD5: 1082 77c1c2ec676628707caf5588962f0f45 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/p/php5/libapache2-mod-php5_5.2.3-1ubuntu6.2_amd64.deb Size/MD5: 2669448 95ae60da41ef7b4594f86ff5264a13d4 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-cgi_5.2.3-1ubuntu6.2_amd64.deb Size/MD5: 5190794 1758c00b1b859342f5c3e73e5e867bbd http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-cli_5.2.3-1ubuntu6.2_amd64.deb Size/MD5: 2617924 b4bda6f34586d6c8887cb2c10079ea76 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-common_5.2.3-1ubuntu6.2_amd64.deb Size/MD5: 222450 67e1f5d10721cad22936f0068211a3c7 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-curl_5.2.3-1ubuntu6.2_amd64.deb Size/MD5: 24778 811ec34d4ea460b00fac5bdb16e9b8f5 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-dev_5.2.3-1ubuntu6.2_amd64.deb Size/MD5: 355046 dfb88072d5b404ee353f4af63ae9ebb2 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-gd_5.2.3-1ubuntu6.2_amd64.deb Size/MD5: 37826 6c17e662bb7a6b2c525a705d91fa65d5 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-ldap_5.2.3-1ubuntu6.2_amd64.deb Size/MD5: 19948 753ec86c6795479bc0891ca9c0670b91 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-mhash_5.2.3-1ubuntu6.2_amd64.deb Size/MD5: 5516 66519e995a609455868d5ad23e927221 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-mysql_5.2.3-1ubuntu6.2_amd64.deb Size/MD5: 73880 afcde53c84b70c2f9882d6c319f0ca6c http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-odbc_5.2.3-1ubuntu6.2_amd64.deb Size/MD5: 37356 ee6186620f7ee27b153c5104db3fa541 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-pgsql_5.2.3-1ubuntu6.2_amd64.deb Size/MD5: 55904 99be8556d41e3561a25e24c281d0a11b http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-pspell_5.2.3-1ubuntu6.2_amd64.deb Size/MD5: 9642 c3295facb9fa364802abb6857f46f63d http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-recode_5.2.3-1ubuntu6.2_amd64.deb Size/MD5: 4996 455b57531d167ecc89555e6e1f5605de http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-snmp_5.2.3-1ubuntu6.2_amd64.deb Size/MD5: 12352 fdca6404e8a8621fa702f1866e46751a http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-sqlite_5.2.3-1ubuntu6.2_amd64.deb Size/MD5: 39482 55d7eb36b22298c3cae3305ea6e210f4 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-sybase_5.2.3-1ubuntu6.2_amd64.deb Size/MD5: 19824 8d13dfe918c0cea9d41fae314e22452d http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-tidy_5.2.3-1ubuntu6.2_amd64.deb Size/MD5: 17880 9ab41423658fbff93ae9c9012400d8ac http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-xmlrpc_5.2.3-1ubuntu6.2_amd64.deb Size/MD5: 40808 eb5b2070dab4107f00e8e7475eab2b14 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-xsl_5.2.3-1ubuntu6.2_amd64.deb Size/MD5: 13368 8dc3c21c551572a5187341fe7f9368a4 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/p/php5/libapache2-mod-php5_5.2.3-1ubuntu6.2_i386.deb Size/MD5: 2542558 0fa871af840de95357d417e81b1bde12 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-cgi_5.2.3-1ubuntu6.2_i386.deb Size/MD5: 5024704 4d076101de583289f74b472f66a3d321 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-cli_5.2.3-1ubuntu6.2_i386.deb Size/MD5: 2530522 a45f9fae50da18f4455a55c166b73f0a http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-common_5.2.3-1ubuntu6.2_i386.deb Size/MD5: 218722 5c3bc75d5873441488fd0c8f65c2b53f http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-curl_5.2.3-1ubuntu6.2_i386.deb Size/MD5: 23598 a04e61affc316a84891bad58ee0eddbd http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-dev_5.2.3-1ubuntu6.2_i386.deb Size/MD5: 355044 94e2c641392ac5ae29e237c5132382f7 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-gd_5.2.3-1ubuntu6.2_i386.deb Size/MD5: 33490 0afcb138e970ca9d10dc1d754470494e http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-ldap_5.2.3-1ubuntu6.2_i386.deb Size/MD5: 17970 b0258ea33e7642deb82aaead60a0e978 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-mhash_5.2.3-1ubuntu6.2_i386.deb Size/MD5: 5194 49596e1453c3131e06af3e045a623977 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-mysql_5.2.3-1ubuntu6.2_i386.deb Size/MD5: 65216 80135f11d58a1c872d4d60989baedf48 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-odbc_5.2.3-1ubuntu6.2_i386.deb Size/MD5: 34432 29f2821eafc5fbf46a6e8ca4feec1970 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-pgsql_5.2.3-1ubuntu6.2_i386.deb Size/MD5: 51304 e66d6510daaaa6b4a6d4b64a5f7a0a60 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-pspell_5.2.3-1ubuntu6.2_i386.deb Size/MD5: 8700 a594aa7f95afa110e83e529b97aa2f40 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-recode_5.2.3-1ubuntu6.2_i386.deb Size/MD5: 4774 5a766568c97f65f2be95c60f4a57bda9 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-snmp_5.2.3-1ubuntu6.2_i386.deb Size/MD5: 11562 a663a6acf219a33af357f78c70c6b89d http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-sqlite_5.2.3-1ubuntu6.2_i386.deb Size/MD5: 34496 ab97a8b5c2b87c89517c6372907e4223 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-sybase_5.2.3-1ubuntu6.2_i386.deb Size/MD5: 18134 9b97f35dd2cf631b8d4d407b802e09ba http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-tidy_5.2.3-1ubuntu6.2_i386.deb Size/MD5: 16348 061fc0d3060ab441b7319608d7968ac6 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-xmlrpc_5.2.3-1ubuntu6.2_i386.deb Size/MD5: 37722 9d9eba9fd632f8d473ed095e17ad6d57 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-xsl_5.2.3-1ubuntu6.2_i386.deb Size/MD5: 12402 355d6a8d187b53704d169ac2527b51a3 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/p/php5/libapache2-mod-php5_5.2.3-1ubuntu6.2_powerpc.deb Size/MD5: 2742574 b90d20abf4b71b58d67902f0904e3f54 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-cgi_5.2.3-1ubuntu6.2_powerpc.deb Size/MD5: 5270574 67c8541045c90489d495ce234f6e1ffb http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-cli_5.2.3-1ubuntu6.2_powerpc.deb Size/MD5: 2654246 f27259c7b3841e50bf3c86dc782b20f0 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-common_5.2.3-1ubuntu6.2_powerpc.deb Size/MD5: 225816 31458de4e7c9177f0138973fc0d5b25b http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-curl_5.2.3-1ubuntu6.2_powerpc.deb Size/MD5: 28060 86f7e5fad55a12472c985c32f743f015 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-dev_5.2.3-1ubuntu6.2_powerpc.deb Size/MD5: 355080 fecb9665cbde35a8518b600cdf205fb4 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-gd_5.2.3-1ubuntu6.2_powerpc.deb Size/MD5: 39110 adc0322de702ada2e0b80e490e417685 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-ldap_5.2.3-1ubuntu6.2_powerpc.deb Size/MD5: 21724 edc5f9999abac743ecc66592cecf3767 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-mhash_5.2.3-1ubuntu6.2_powerpc.deb Size/MD5: 7640 6377891afce3ee5b592c32cc95b42f95 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-mysql_5.2.3-1ubuntu6.2_powerpc.deb Size/MD5: 78026 47fd399637c816e4a4206f76cd9d8afc http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-odbc_5.2.3-1ubuntu6.2_powerpc.deb Size/MD5: 40974 641321c2fb3f5b8de7d772f3eeba46bc http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-pgsql_5.2.3-1ubuntu6.2_powerpc.deb Size/MD5: 59574 58b072639918acd35515d8eceb76971d http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-pspell_5.2.3-1ubuntu6.2_powerpc.deb Size/MD5: 11248 4e667071c4471a24ecae795485aa3655 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-recode_5.2.3-1ubuntu6.2_powerpc.deb Size/MD5: 7172 1d98c91eafdf94442f8e4efddcbc0946 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-snmp_5.2.3-1ubuntu6.2_powerpc.deb Size/MD5: 14118 6fc7790c62b8a7ae231a974271ce40f5 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-sqlite_5.2.3-1ubuntu6.2_powerpc.deb Size/MD5: 42674 53a718dcd9cebd06054ca7bcba4b31c6 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-sybase_5.2.3-1ubuntu6.2_powerpc.deb Size/MD5: 21860 b210d78bfc0a04fa53f45b901ad3158e http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-tidy_5.2.3-1ubuntu6.2_powerpc.deb Size/MD5: 20138 a5b73e99fe5320576a0ade3b9aca0cd4 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-xmlrpc_5.2.3-1ubuntu6.2_powerpc.deb Size/MD5: 43136 29eb3af8e346b10ae0c150406e16b996 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-xsl_5.2.3-1ubuntu6.2_powerpc.deb Size/MD5: 15466 e1e046bc8e77d9237038abce92763c74 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/p/php5/libapache2-mod-php5_5.2.3-1ubuntu6.2_sparc.deb Size/MD5: 2576838 4eb1b61129d7191fa5f9a8186a3eb545 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-cgi_5.2.3-1ubuntu6.2_sparc.deb Size/MD5: 5020902 a74c4167bd3c9072b62c8e8d4ac40eb9 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-cli_5.2.3-1ubuntu6.2_sparc.deb Size/MD5: 2529358 790f9b28adf0a84e1f5fe8421fb9c5c6 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-common_5.2.3-1ubuntu6.2_sparc.deb Size/MD5: 218684 d3becd4261e09cdecbcdb17a2c28df2d http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-curl_5.2.3-1ubuntu6.2_sparc.deb Size/MD5: 24486 c0eb7ca78a301b561175403f8a72f1a5 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-dev_5.2.3-1ubuntu6.2_sparc.deb Size/MD5: 355090 4aba6b1a9c1cbe55e43ba0cd2e281740 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-gd_5.2.3-1ubuntu6.2_sparc.deb Size/MD5: 34328 d002fe95e04fa7d471a401d29d18521f http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-ldap_5.2.3-1ubuntu6.2_sparc.deb Size/MD5: 17966 74f9b87291910eccdd06138619c27dc8 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-mhash_5.2.3-1ubuntu6.2_sparc.deb Size/MD5: 5070 cf33fa098810fe83e872c6156933b410 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-mysql_5.2.3-1ubuntu6.2_sparc.deb Size/MD5: 64752 c92758c6d14df97dfcb57d7aa2d6c243 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-odbc_5.2.3-1ubuntu6.2_sparc.deb Size/MD5: 32858 23ff82df0be4350ae39a0602e41bfe3e http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-pgsql_5.2.3-1ubuntu6.2_sparc.deb Size/MD5: 50136 10970c45c6d1f679d478c781881d4adb http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-pspell_5.2.3-1ubuntu6.2_sparc.deb Size/MD5: 8620 899ac45be91a8ffa5630c99bf91fe059 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-recode_5.2.3-1ubuntu6.2_sparc.deb Size/MD5: 4754 101ac244742ef3c43d95ab1ccd5a0262 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-snmp_5.2.3-1ubuntu6.2_sparc.deb Size/MD5: 11428 d8d1fb1c1a8e1b0f60fafc06a0e2ab07 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-sqlite_5.2.3-1ubuntu6.2_sparc.deb Size/MD5: 33264 b5fe644c2419e3336f23ba47301174cb http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-sybase_5.2.3-1ubuntu6.2_sparc.deb Size/MD5: 17918 895e4b8d78babe51b656e5c3536542b0 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-tidy_5.2.3-1ubuntu6.2_sparc.deb Size/MD5: 16494 18f96996d94c777cf35150ebb7799653 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-xmlrpc_5.2.3-1ubuntu6.2_sparc.deb Size/MD5: 36576 fe16a39635b929178778d1df340e8250 http://security.ubuntu.com/ubuntu/pool/main/p/php5/php5-xsl_5.2.3-1ubuntu6.2_sparc.deb Size/MD5: 11958 98ceda91197ea9d786f66f43d2fd4c4f