Bugzilla – Bug 57949
VUL-0: CVE-2004-0595: remote vuln in PHP
Last modified: 2021-10-02 09:33:50 UTC
Date: Sat, 10 Jul 2004 18:50:42 +0200 From: Stefan Esser <s.esser@e-matters.de> To: vendor-sec@lst.de Cc: sesser@php.net Subject: [vendor-sec] PHP Security Fixes Hello, appended you will find a list of 3 patches. Those are most likely the final patches that will go into the bugfix release. The first 2 have something todo with the memory_limit remote exploit and the 3rd is a collection of other patches that fix safe_mode problems, a possible IE strip_slashes bypass vulnerability and a few more stability probblems. http://security.e-matters.de/patches/php_43_everything_except_mm.diff http://security.e-matters.de/patches/php_43_memory_limit_in_execution.diff http://security.e-matters.de/patches/php-4.3.7-sfix.diff All these patches are more or less in this form in the CVS. Because the release is supposed to be coordinated with the PHP 5.0.0 release the exact releasedate is not yet decided, but I suppose it will be at the end of the week or in the beginning of the next week. As soon this is decided I will tell you. Stefan Esser
<!-- SBZ_reproduce --> ...
Tomas, are you there? We need new packages ASAP. This issue will be public soon. If you tell us which products are affected we will submit the patchinfo files.
Created attachment 22155 [details] patchinfo-box.mod_php4
Created attachment 22156 [details] patchinfo.mod_php4
issue has gone public today. adding afx@atsec.com for demonstration purposes.
mod_php4 might not be the only binary package that needs to be updated. Tomas, can you tell us which subpackages are affected? Does apache need to be restarted after the update?
Apache needs to be restarted if the embedded interpreter is loaded (usually the case). If /usr/bin/php is run as external CGI, no restart is necessary.
FYI, we have a package called midgard which contains php sources as well (php3? php4?)
The memory_limit got CAN-2004-0594, the strip_tags got CAN-2004-0595. Also see http://security.e-matters.de/advisories/112004.html
packages affected: 8.0/ul1/8.1/sles8: mod_php4-aolserver, mod-php4-core, mod_php4-servlet, mod_php4 8.2/9.0: apache2-mod_php4, mod-php4-core, mod_php4-aolserver, mod_php4 9.1/sles9: apache-mod_php4, apache2-mod_php4, php4, php4-servlet, php4-imap, php4-mysql, php4-session, php4-wddx
Could any of our security gurus have a look how php_43_memory_limit_in_execution.diff should be backported to 8.2, 8.1 and 8.0?
Pakckaes approved and announced.
CVE-2004-0595: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)