-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2008:128 http://www.mandriva.com/security/ _______________________________________________________________________ Package : php Date : July 3, 2008 Affected: 2008.1 _______________________________________________________________________ Problem Description: A number of vulnerabilities have been found and corrected in PHP: php-cgi in PHP prior to 5.2.6 does not properly calculate the length of PATH_TRANSLATED, which has unknown impact and attack vectors (CVE-2008-0599). The escapeshellcmd() API function in PHP prior to 5.2.6 has unknown impact and context-dependent attack vectors related to incomplete multibyte characters (CVE-2008-2051). Weaknesses in the GENERATE_SEED macro in PHP prior to 4.4.8 and 5.2.5 were discovered that could produce a zero seed in rare circumstances on 32bit systems and generations a portion of zero bits during conversion due to insufficient precision on 64bit systems (CVE-2008-2107, CVE-2008-2108). The IMAP module in PHP uses obsolete API calls that allow context-dependent attackers to cause a denial of service (crash) via a long IMAP request (CVE-2008-2829). In addition, the updated packages provide a number of bug fixes. The updated packages have been patched to correct these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0599 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2051 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2107 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2108 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2829 _______________________________________________________________________ Updated Packages: Mandriva Linux 2008.1: a37818e23e89ac2862f4fb4a64e7a208 2008.1/i586/libphp5_common5-5.2.5-14.1mdv2008.1.i586.rpm c58445867f86bebdd96e22d4acd38060 2008.1/i586/php-bcmath-5.2.5-14.1mdv2008.1.i586.rpm 1ebbc55b496fa354029f3ed79d2204f3 2008.1/i586/php-bz2-5.2.5-14.1mdv2008.1.i586.rpm 94bebca56612a4ec0116f7f5c53da3d0 2008.1/i586/php-calendar-5.2.5-14.1mdv2008.1.i586.rpm 469701782a3d5b629f43605e0a125afa 2008.1/i586/php-cgi-5.2.5-14.1mdv2008.1.i586.rpm 39079d351109e89c80cfa916d6c239d6 2008.1/i586/php-cli-5.2.5-14.1mdv2008.1.i586.rpm 3e71e18a497ac32aa3153cbf801869b9 2008.1/i586/php-ctype-5.2.5-14.1mdv2008.1.i586.rpm 3cf96d78e7c0baaa470df375f756dbe7 2008.1/i586/php-curl-5.2.5-14.1mdv2008.1.i586.rpm 9d5ace343f0edceb34080f6168d2de54 2008.1/i586/php-dba-5.2.5-14.1mdv2008.1.i586.rpm 88a61df3d3e1b08351c3d28d5b1beaa5 2008.1/i586/php-dbase-5.2.5-14.1mdv2008.1.i586.rpm e4be850b54e6e823c323df86ddfb9b65 2008.1/i586/php-devel-5.2.5-14.1mdv2008.1.i586.rpm e08be6d315e4afb0ee8c7abbae1cca30 2008.1/i586/php-dom-5.2.5-14.1mdv2008.1.i586.rpm 94732727478ab8954f987dbb4a7516f3 2008.1/i586/php-exif-5.2.5-14.1mdv2008.1.i586.rpm aac78c46a893ceff0dd2d17f5acd882f 2008.1/i586/php-fcgi-5.2.5-14.1mdv2008.1.i586.rpm 8a75ef9557cdf74be9e39c45bed337a0 2008.1/i586/php-filter-5.2.5-14.1mdv2008.1.i586.rpm ddf3778405e2bca02267d7c4d2678d4a 2008.1/i586/php-ftp-5.2.5-14.1mdv2008.1.i586.rpm e0b1005f29b77a4b210d0470fe83721f 2008.1/i586/php-gd-5.2.5-14.1mdv2008.1.i586.rpm c9dec9d8c87d3880c093d9eac2a7511f 2008.1/i586/php-gettext-5.2.5-14.1mdv2008.1.i586.rpm e990f3a9fbd10fed38e9538fb74dccb1 2008.1/i586/php-gmp-5.2.5-14.1mdv2008.1.i586.rpm e1f22f19e8da5e900989b015ca678cd3 2008.1/i586/php-hash-5.2.5-14.1mdv2008.1.i586.rpm d8c0143f37376b50f56647efebb43252 2008.1/i586/php-iconv-5.2.5-14.1mdv2008.1.i586.rpm 42c7dd288ed5e0cb5fca59bf0f28168f 2008.1/i586/php-imap-5.2.5-14.1mdv2008.1.i586.rpm e826965982e300e1bdb3dd39fe41a72f 2008.1/i586/php-json-5.2.5-14.1mdv2008.1.i586.rpm 8f43b850ee69bab574525bf204296864 2008.1/i586/php-ldap-5.2.5-14.1mdv2008.1.i586.rpm 716cc4fbb174ed8f8df8d1ff2c5227f4 2008.1/i586/php-mbstring-5.2.5-14.1mdv2008.1.i586.rpm c73e47e1c3b5b8bae761bc5705037afd 2008.1/i586/php-mcrypt-5.2.5-14.1mdv2008.1.i586.rpm 74e4c83ddae2b6104993b61092620bda 2008.1/i586/php-mhash-5.2.5-14.1mdv2008.1.i586.rpm 720c20e13ebd9507acefad959a0e02d7 2008.1/i586/php-mime_magic-5.2.5-14.1mdv2008.1.i586.rpm 30c12b2df3ddb506d7ecc430ab4866be 2008.1/i586/php-ming-5.2.5-14.1mdv2008.1.i586.rpm 32fbce35e02d7b65b0cc2cdbc6d08586 2008.1/i586/php-mssql-5.2.5-14.1mdv2008.1.i586.rpm 9cf62b9e2ddd9336e6f524a6d90780e7 2008.1/i586/php-mysql-5.2.5-14.1mdv2008.1.i586.rpm e522238c50ebcbc6ca91f358be4e1c2e 2008.1/i586/php-mysqli-5.2.5-14.1mdv2008.1.i586.rpm 1dd4dad359a05f08196abf13221abf20 2008.1/i586/php-ncurses-5.2.5-14.1mdv2008.1.i586.rpm 7db383a489801c8353894e4b9f7e6512 2008.1/i586/php-odbc-5.2.5-14.1mdv2008.1.i586.rpm 5f63c09754e30903b4876f2c2a822f6a 2008.1/i586/php-openssl-5.2.5-14.1mdv2008.1.i586.rpm 4e96480d6769fac868af9566c091b3fc 2008.1/i586/php-pcntl-5.2.5-14.1mdv2008.1.i586.rpm 0718aa1bffe5e7c91b10f70c7eec68f3 2008.1/i586/php-pdo-5.2.5-14.1mdv2008.1.i586.rpm 7c0b4674ec56c2a6fe87c7b224e1ccab 2008.1/i586/php-pdo_dblib-5.2.5-14.1mdv2008.1.i586.rpm 7e3881d1059fb8c1b5986b1852f97696 2008.1/i586/php-pdo_mysql-5.2.5-14.1mdv2008.1.i586.rpm 0f3d7ede7adf2cae8d0a2735ada5fbc4 2008.1/i586/php-pdo_odbc-5.2.5-14.1mdv2008.1.i586.rpm b9dbde00f72ae70b8328441ce041bcac 2008.1/i586/php-pdo_pgsql-5.2.5-14.1mdv2008.1.i586.rpm bebde3a51ea7599d4cab973b0d21caed 2008.1/i586/php-pdo_sqlite-5.2.5-14.1mdv2008.1.i586.rpm fd9f335c54865f610bb3d5d708fef9bb 2008.1/i586/php-pgsql-5.2.5-14.1mdv2008.1.i586.rpm 5466493db048f4bed3dc5e3d8b13aed2 2008.1/i586/php-posix-5.2.5-14.1mdv2008.1.i586.rpm 127092f9644567139b8205269215adbb 2008.1/i586/php-pspell-5.2.5-14.1mdv2008.1.i586.rpm 1d121691eaa30b2dc6a6704b39d03ce1 2008.1/i586/php-readline-5.2.5-14.1mdv2008.1.i586.rpm f9980c14e99ed971263dbe0b4c92ce71 2008.1/i586/php-recode-5.2.5-14.1mdv2008.1.i586.rpm c0307d2020f00104e0c4d4043f5e5437 2008.1/i586/php-session-5.2.5-14.1mdv2008.1.i586.rpm eada076c0ee76e265288c4ebbb255635 2008.1/i586/php-shmop-5.2.5-14.1mdv2008.1.i586.rpm 83ccb133b2599af455f477320035c561 2008.1/i586/php-snmp-5.2.5-14.1mdv2008.1.i586.rpm e7bb2545d59e14f092557451dfcc160a 2008.1/i586/php-soap-5.2.5-14.1mdv2008.1.i586.rpm f2d2d080d7c96c1fc7c8f9b6c33e99b0 2008.1/i586/php-sockets-5.2.5-14.1mdv2008.1.i586.rpm bbebe55b2bceb651c326259534a0468d 2008.1/i586/php-sqlite-5.2.5-14.1mdv2008.1.i586.rpm 3abc11b2e11b6357320e7f7e64369924 2008.1/i586/php-sysvmsg-5.2.5-14.1mdv2008.1.i586.rpm 5d7fda3b32ac01f36959b567921f7cf2 2008.1/i586/php-sysvsem-5.2.5-14.1mdv2008.1.i586.rpm fa966a7d383c29cee238ce0537226c0c 2008.1/i586/php-sysvshm-5.2.5-14.1mdv2008.1.i586.rpm 60844677bf0322abd1c7beef732bf33b 2008.1/i586/php-tidy-5.2.5-14.1mdv2008.1.i586.rpm 8c3bce1a573136ab356d1640f1be9fa3 2008.1/i586/php-tokenizer-5.2.5-14.1mdv2008.1.i586.rpm 74576d184434f0bd36821b5f3963f533 2008.1/i586/php-wddx-5.2.5-14.1mdv2008.1.i586.rpm 058bfe6e2ba389dae88e3dbdc19fda00 2008.1/i586/php-xml-5.2.5-14.1mdv2008.1.i586.rpm 8ebd48b983d0a5e68bc6ef81b6698964 2008.1/i586/php-xmlreader-5.2.5-14.1mdv2008.1.i586.rpm 908064c9dc1ddd6337d5ff4d619fb6c4 2008.1/i586/php-xmlrpc-5.2.5-14.1mdv2008.1.i586.rpm a01f3cf2339e062cec8652898791e800 2008.1/i586/php-xmlwriter-5.2.5-14.1mdv2008.1.i586.rpm ca7d59d3a9eec66673b71bd56aea8dfe 2008.1/i586/php-xsl-5.2.5-14.1mdv2008.1.i586.rpm 6616f95893cd6fce078149160fe4399e 2008.1/i586/php-zlib-5.2.5-14.1mdv2008.1.i586.rpm c682f37976c4704d2cfeaa7cd431178b 2008.1/SRPMS/php-5.2.5-14.1mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: 37c9c71baaf2a3d871d2fb03adec4cf0 2008.1/x86_64/lib64php5_common5-5.2.5-14.1mdv2008.1.x86_64.rpm 7d231c361203d4b5d0408125cf1f8649 2008.1/x86_64/php-bcmath-5.2.5-14.1mdv2008.1.x86_64.rpm 47a0fe202badead8966c79f853f8dc89 2008.1/x86_64/php-bz2-5.2.5-14.1mdv2008.1.x86_64.rpm e31174f0b54331b56db910c4fb2c79a5 2008.1/x86_64/php-calendar-5.2.5-14.1mdv2008.1.x86_64.rpm 3853e043253e63cad86fb2dd947091d8 2008.1/x86_64/php-cgi-5.2.5-14.1mdv2008.1.x86_64.rpm 1d290d98029652e2d5c2492859581162 2008.1/x86_64/php-cli-5.2.5-14.1mdv2008.1.x86_64.rpm 6506809c7d37f485d99f8fc21eeed0a8 2008.1/x86_64/php-ctype-5.2.5-14.1mdv2008.1.x86_64.rpm 7b091eebb11aaacf07d4939ff512c88b 2008.1/x86_64/php-curl-5.2.5-14.1mdv2008.1.x86_64.rpm 7bb1bcda1b3a2d54477d04f27bd1f333 2008.1/x86_64/php-dba-5.2.5-14.1mdv2008.1.x86_64.rpm bc0b1006a1743e88e49256b964997e57 2008.1/x86_64/php-dbase-5.2.5-14.1mdv2008.1.x86_64.rpm 5912b191d3faff077ac26d7820dcc8c0 2008.1/x86_64/php-devel-5.2.5-14.1mdv2008.1.x86_64.rpm 31fece421e022bc04abe1357c1d4f7e2 2008.1/x86_64/php-dom-5.2.5-14.1mdv2008.1.x86_64.rpm f8a4115d99dc3015861726179cfc866e 2008.1/x86_64/php-exif-5.2.5-14.1mdv2008.1.x86_64.rpm fd6d2f5101133ef83fcece1d07b8af64 2008.1/x86_64/php-fcgi-5.2.5-14.1mdv2008.1.x86_64.rpm 3f74157d45ffa63d859882bbffcbe919 2008.1/x86_64/php-filter-5.2.5-14.1mdv2008.1.x86_64.rpm 2a732c2d7a96f3a1121dd12a7efd9daf 2008.1/x86_64/php-ftp-5.2.5-14.1mdv2008.1.x86_64.rpm b93cf200e2ae6e01d492fdc94ea07482 2008.1/x86_64/php-gd-5.2.5-14.1mdv2008.1.x86_64.rpm 18cd2997f1f00662691a181dc43a8ec1 2008.1/x86_64/php-gettext-5.2.5-14.1mdv2008.1.x86_64.rpm 4dafaf30e6d723648f1bd7030dc1a8e6 2008.1/x86_64/php-gmp-5.2.5-14.1mdv2008.1.x86_64.rpm edd1290a6aaa8a017c1831ad11130e27 2008.1/x86_64/php-hash-5.2.5-14.1mdv2008.1.x86_64.rpm 853ea355568c412d690ac7ddde72546d 2008.1/x86_64/php-iconv-5.2.5-14.1mdv2008.1.x86_64.rpm ad0cf57cfc042eb64d112ad59a40c421 2008.1/x86_64/php-imap-5.2.5-14.1mdv2008.1.x86_64.rpm f4a0b0017d988de9929d89b086b349ef 2008.1/x86_64/php-json-5.2.5-14.1mdv2008.1.x86_64.rpm b27cd3253b5c00ebd67745ad13243c84 2008.1/x86_64/php-ldap-5.2.5-14.1mdv2008.1.x86_64.rpm 676b808a0b587a4257f88d11036e3aa0 2008.1/x86_64/php-mbstring-5.2.5-14.1mdv2008.1.x86_64.rpm fe20ac6413273ac7fa4485256e60995a 2008.1/x86_64/php-mcrypt-5.2.5-14.1mdv2008.1.x86_64.rpm dcf40cacec48726612f8411ba34ed8f4 2008.1/x86_64/php-mhash-5.2.5-14.1mdv2008.1.x86_64.rpm b3fb128a1a3a1561bc862c2796b95298 2008.1/x86_64/php-mime_magic-5.2.5-14.1mdv2008.1.x86_64.rpm 7f1e71f77fe2106f0242e783d5257b52 2008.1/x86_64/php-ming-5.2.5-14.1mdv2008.1.x86_64.rpm e56f6b325bddbfb3c4a8fcbbbf3d95e1 2008.1/x86_64/php-mssql-5.2.5-14.1mdv2008.1.x86_64.rpm 499affb25800bab89d30e72be7b887d4 2008.1/x86_64/php-mysql-5.2.5-14.1mdv2008.1.x86_64.rpm a7b61b06508a6d220380a3de3a3ee545 2008.1/x86_64/php-mysqli-5.2.5-14.1mdv2008.1.x86_64.rpm 555ac0b707dc050b2557559474e45e92 2008.1/x86_64/php-ncurses-5.2.5-14.1mdv2008.1.x86_64.rpm dfd63fe4e7e853d1ca298d3d0f273847 2008.1/x86_64/php-odbc-5.2.5-14.1mdv2008.1.x86_64.rpm 4682fe6bb3a0b060e88af72754def31b 2008.1/x86_64/php-openssl-5.2.5-14.1mdv2008.1.x86_64.rpm 87559329a3c48b52ead4d0565c8b245c 2008.1/x86_64/php-pcntl-5.2.5-14.1mdv2008.1.x86_64.rpm 9d5c6b3e1c7cf51ecdc18f591d2db51d 2008.1/x86_64/php-pdo-5.2.5-14.1mdv2008.1.x86_64.rpm d65c65b59daf765bb59102b6c7efaa8f 2008.1/x86_64/php-pdo_dblib-5.2.5-14.1mdv2008.1.x86_64.rpm 710d8e5738610884f6a05d92216f4f92 2008.1/x86_64/php-pdo_mysql-5.2.5-14.1mdv2008.1.x86_64.rpm 1041b835da177f8a23c57fc27b1b950d 2008.1/x86_64/php-pdo_odbc-5.2.5-14.1mdv2008.1.x86_64.rpm 233b492c194e5c2ea8a57e97c5957280 2008.1/x86_64/php-pdo_pgsql-5.2.5-14.1mdv2008.1.x86_64.rpm 1dc281eff1f624d93202a664ff415a24 2008.1/x86_64/php-pdo_sqlite-5.2.5-14.1mdv2008.1.x86_64.rpm 496c4cd0662b01c72ef1d88125a32c28 2008.1/x86_64/php-pgsql-5.2.5-14.1mdv2008.1.x86_64.rpm 547460ae2e62432fb8469ad6d57927f3 2008.1/x86_64/php-posix-5.2.5-14.1mdv2008.1.x86_64.rpm 0e4270d3c85e1b08cf28989d5ccc99d7 2008.1/x86_64/php-pspell-5.2.5-14.1mdv2008.1.x86_64.rpm 0f3d47e68701ffcb9a0161efcc9e8423 2008.1/x86_64/php-readline-5.2.5-14.1mdv2008.1.x86_64.rpm c8b466772de1a950054aaad758f1512d 2008.1/x86_64/php-recode-5.2.5-14.1mdv2008.1.x86_64.rpm 5de0ce9556bbba884cb77b472a4fce45 2008.1/x86_64/php-session-5.2.5-14.1mdv2008.1.x86_64.rpm 98bcdd66540cf1f4c900b99ae75f2d4c 2008.1/x86_64/php-shmop-5.2.5-14.1mdv2008.1.x86_64.rpm d281db526e9ae8f8032bf5982a54ba28 2008.1/x86_64/php-snmp-5.2.5-14.1mdv2008.1.x86_64.rpm def9b2719027320b6e03789f05d673f0 2008.1/x86_64/php-soap-5.2.5-14.1mdv2008.1.x86_64.rpm 7590250ef2892572cbe6713554e8f4b8 2008.1/x86_64/php-sockets-5.2.5-14.1mdv2008.1.x86_64.rpm 490f258c279227ef5fea6ab8abc19197 2008.1/x86_64/php-sqlite-5.2.5-14.1mdv2008.1.x86_64.rpm 2111518b9739bb23069cf98914b9065d 2008.1/x86_64/php-sysvmsg-5.2.5-14.1mdv2008.1.x86_64.rpm 0bda452b910ab8c98ba9fd35cc8f2ac5 2008.1/x86_64/php-sysvsem-5.2.5-14.1mdv2008.1.x86_64.rpm 8d75772a16f8582c55a4cf44ad28d50c 2008.1/x86_64/php-sysvshm-5.2.5-14.1mdv2008.1.x86_64.rpm f6237eba6d016b4c37da619be5411817 2008.1/x86_64/php-tidy-5.2.5-14.1mdv2008.1.x86_64.rpm 2f4ed9b3fe6521c8ba7b18339c651666 2008.1/x86_64/php-tokenizer-5.2.5-14.1mdv2008.1.x86_64.rpm da555a1459c356f1d0ac3d02f33d977a 2008.1/x86_64/php-wddx-5.2.5-14.1mdv2008.1.x86_64.rpm c9705d61d3c0ce345a5e7454c76eab6c 2008.1/x86_64/php-xml-5.2.5-14.1mdv2008.1.x86_64.rpm 5e7ab83900d27a1e250e124640ce5821 2008.1/x86_64/php-xmlreader-5.2.5-14.1mdv2008.1.x86_64.rpm 3582889fd9e5830a7d6bf703510382f4 2008.1/x86_64/php-xmlrpc-5.2.5-14.1mdv2008.1.x86_64.rpm 85b704914f5ebb3f25c010e82297dc32 2008.1/x86_64/php-xmlwriter-5.2.5-14.1mdv2008.1.x86_64.rpm fbfd8f6863d70fee3781d07a72e33152 2008.1/x86_64/php-xsl-5.2.5-14.1mdv2008.1.x86_64.rpm bc8f8000a2d6a9815a153ddeda04dd1d 2008.1/x86_64/php-zlib-5.2.5-14.1mdv2008.1.x86_64.rpm c682f37976c4704d2cfeaa7cd431178b 2008.1/SRPMS/php-5.2.5-14.1mdv2008.1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFIbT7gmqjQ0CJFipgRAqVOAKC/PGY3i2IKO592B0Ukfck2HnZPogCfUijv tvsSl4XAuy3Fg1iJ05MfgMs= =M3vw -----END PGP SIGNATURE-----