Bug 57949 (CVE-2004-0595)

Summary: VUL-0: CVE-2004-0595: remote vuln in PHP
Product: [Novell Products] SUSE Security Incidents Reporter: Sebastian Krahmer <krahmer>
Component: IncidentsAssignee: Tomas Crhak <tcrhak>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Critical    
Priority: P3 - Medium CC: afx, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2004-0595: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:NVD:CVE-2004-0594:5.1:(AV:N/AC:H/Au:N/C:P/I:P/A:P)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: patchinfo-box.mod_php4
patchinfo.mod_php4

Description Sebastian Krahmer 2004-07-13 18:13:29 UTC 
Date: Sat, 10 Jul 2004 18:50:42 +0200
From: Stefan Esser <s.esser@e-matters.de>
To: vendor-sec@lst.de
Cc: sesser@php.net
Subject: [vendor-sec] PHP Security Fixes

Hello,

appended you will find a list of 3 patches. Those are most likely
the final patches that will go into the bugfix release.

The first 2 have something todo with the memory_limit remote exploit
and the 3rd is a collection of other patches that fix safe_mode
problems, a possible IE strip_slashes bypass vulnerability and
a few more stability probblems.

http://security.e-matters.de/patches/php_43_everything_except_mm.diff
http://security.e-matters.de/patches/php_43_memory_limit_in_execution.diff
http://security.e-matters.de/patches/php-4.3.7-sfix.diff

All these patches are more or less in this form in the CVS. Because the
release is supposed to be coordinated with the PHP 5.0.0 release the
exact releasedate is not yet decided, but I suppose it will be at the end
of the week or in the beginning of the next week.

As soon this is decided I will tell you.

Stefan Esser
Comment 1 Sebastian Krahmer 2004-07-13 18:13:29 UTC 
<!-- SBZ_reproduce  -->
...
Comment 2 Sebastian Krahmer 2004-07-14 16:38:59 UTC 
Tomas, are you there? We need new packages ASAP. This issue will
be public soon. If you tell us which products are affected we
will submit the patchinfo files.
Comment 3 Thomas Biege 2004-07-14 19:24:46 UTC 
Created attachment 22155 [details]
patchinfo-box.mod_php4
Comment 4 Thomas Biege 2004-07-14 19:25:01 UTC 
Created attachment 22156 [details]
patchinfo.mod_php4
Comment 5 Roman Drahtmueller 2004-07-14 19:27:19 UTC 
issue has gone public today.
adding afx@atsec.com for demonstration purposes.
Comment 6 Ludwig Nussel 2004-07-14 20:33:03 UTC 
mod_php4 might not be the only binary package that needs to be updated. Tomas, 
can you tell us which subpackages are affected? 
 
Does apache need to be restarted after the update?
Comment 7 Peter Poeml 2004-07-14 20:38:02 UTC 
Apache needs to be restarted if the embedded interpreter is loaded
(usually the case). If /usr/bin/php is run as external CGI, no restart
is necessary.
Comment 8 Peter Poeml 2004-07-14 20:44:00 UTC 
FYI, we have a package called midgard which contains php sources as well
(php3? php4?)
Comment 9 Sebastian Krahmer 2004-07-14 21:39:51 UTC 
The memory_limit got CAN-2004-0594, the strip_tags got CAN-2004-0595.

Also see
http://security.e-matters.de/advisories/112004.html
Comment 10 Tomas Crhak 2004-07-14 23:24:31 UTC 
packages affected:

8.0/ul1/8.1/sles8: mod_php4-aolserver, mod-php4-core, mod_php4-servlet, mod_php4

8.2/9.0: apache2-mod_php4, mod-php4-core, mod_php4-aolserver, mod_php4

9.1/sles9: apache-mod_php4, apache2-mod_php4, php4, php4-servlet, php4-imap,
php4-mysql, php4-session, php4-wddx
Comment 11 Tomas Crhak 2004-07-14 23:26:41 UTC 
Could any of our security gurus have a look how
php_43_memory_limit_in_execution.diff should be backported to 8.2, 8.1 and 8.0?
Comment 12 Sebastian Krahmer 2004-07-16 20:51:42 UTC 
Pakckaes approved and announced.
Comment 13 Thomas Biege 2009-10-13 20:28:44 UTC 
CVE-2004-0595: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)