-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDKSA-2007:187 http://www.mandriva.com/security/ _______________________________________________________________________ Package : php Date : September 21, 2007 Affected: 2007.0, 2007.1, Corporate 3.0, Corporate 4.0, Multi Network Firewall 2.0 _______________________________________________________________________ Problem Description: Numerous vulnerabilities were discovered in the PHP scripting language that are corrected with this update. An integer overflow in the substr_compare() function allows context-dependent attackers to read sensitive memory via a large value in the length argument. This only affects PHP5 (CVE-2007-1375). A stack-based buffer overflow in the zip:// URI wrapper in PECL ZIP 1.8.3 and earlier allowes remote attackers to execute arbitrary code via a long zip:// URL. This only affects Corporate Server 4.0 (CVE-2007-1399). A CRLF injection vulnerability in the FILTER_VALIDATE_EMAIL filter could allow an attacker to inject arbitrary email headers via a special email address. This only affects Mandriva Linux 2007.1 (CVE-2007-1900). The mcrypt_create_iv() function calls php_rand_r() with an uninitialized seed variable, thus always generating the same initialization vector, which may allow an attacker to decrypt certain data more easily because of the guessable encryption keys (CVE-2007-2727). The soap extension calls php_rand_r() with an uninitialized seec variable, which has unknown impact and attack vectors; an issue similar to that affecting mcrypt_create_iv(). This only affects PHP5 (CVE-2007-2728). The substr_count() function allows attackers to obtain sensitive information via unspecified vectors. This only affects PHP5 (CVE-2007-2748). An infinite loop was found in the gd extension that could be used to cause a denial of service if a script were forced to process certain PNG images from untrusted sources (CVE-2007-2756). An integer overflow flaw was found in the chunk_split() function that ould possibly execute arbitrary code as the apache user if a remote attacker was able to pass arbitrary data to the third argument of chunk_split() (CVE-2007-2872). A flaw in the PHP session cookie handling could allow an attacker to create a cross-site cookie insertion attack if a victim followed an untrusted carefully-crafted URL (CVE-2007-3799). Various integer overflow flaws were discovered in the PHP gd extension that could allow a remote attacker to execute arbitrary code as the apache user (CVE-2007-3996). A flaw in the wordwrap() frunction could result in a denial of ervice if a remote attacker was able to pass arbitrary data to the function (CVE-2007-3998). A flaw in the money_format() function could result in an information leak or denial of service if a remote attacker was able to pass arbitrary data to this function; this situation would be unlikely however (CVE-2007-4658). A bug in the PHP session cookie handling could allow an attacker to stop a victim from viewing a vulnerable website if the victim first visited a malicious website under the control of the attacker who was able to use that page to set a cookie for the vulnerable website (CVE-2007-4670). Updated packages have been patched to prevent these issues. In addition, PECL ZIP version 1.8.10 is being provided for Corporate Server 4.0. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1375 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1399 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1900 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2727 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2728 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2748 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2756 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2872 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3799 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3996 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3998 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4658 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4670 _______________________________________________________________________ Updated Packages: Mandriva Linux 2007.0: 57a68f47fd8c691db93b9eadbbf19b40 2007.0/i586/libphp5_common5-5.1.6-1.9mdv2007.0.i586.rpm f82d39f70da087f4d7f9470f81211276 2007.0/i586/php-cgi-5.1.6-1.9mdv2007.0.i586.rpm a22e66bf85ab53ff1782ce331ffa60a6 2007.0/i586/php-cli-5.1.6-1.9mdv2007.0.i586.rpm c3cd07dba2182b4f583794a3b240e84e 2007.0/i586/php-devel-5.1.6-1.9mdv2007.0.i586.rpm 265ef0003e043ad3013022b1e566fd89 2007.0/i586/php-fcgi-5.1.6-1.9mdv2007.0.i586.rpm 598e110d6abcc345a0b6ee1676214ee2 2007.0/i586/php-gd-5.1.6-1.3mdv2007.0.i586.rpm 0f9a486f5ccadd55c81aa61705ae5d81 2007.0/i586/php-mcrypt-5.1.6-1.1mdv2007.0.i586.rpm 6d7d80d3cdeae2e4ca286b67be659cef 2007.0/i586/php-soap-5.1.6-1.2mdv2007.0.i586.rpm 06fef845a7f0eb15fbda8e01d2449759 2007.0/SRPMS/php-5.1.6-1.9mdv2007.0.src.rpm 1c4c5379d367dd0ba8c002d2a60eb8b1 2007.0/SRPMS/php-gd-5.1.6-1.3mdv2007.0.src.rpm 4b4382448f9be55ea66f8b910a12a97c 2007.0/SRPMS/php-mcrypt-5.1.6-1.1mdv2007.0.src.rpm c9e9b415eac3b864ffcece762c6aa6bb 2007.0/SRPMS/php-soap-5.1.6-1.2mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: 8ddfb570e663d8b61cbfaf5bc8585d54 2007.0/x86_64/lib64php5_common5-5.1.6-1.9mdv2007.0.x86_64.rpm d05d20ad5c5ddd84649aaed661b83c7a 2007.0/x86_64/php-cgi-5.1.6-1.9mdv2007.0.x86_64.rpm 9ba45cce68ffa043cf1fb23fe765e104 2007.0/x86_64/php-cli-5.1.6-1.9mdv2007.0.x86_64.rpm 26ead0e8cd3bab9ba64cc39f596d6533 2007.0/x86_64/php-devel-5.1.6-1.9mdv2007.0.x86_64.rpm 65673d78e3e1af683d64e30ba832be63 2007.0/x86_64/php-fcgi-5.1.6-1.9mdv2007.0.x86_64.rpm 0d478806da998759a96cdbf8694c0324 2007.0/x86_64/php-gd-5.1.6-1.3mdv2007.0.x86_64.rpm 99ec9336533a6ff74b93841497a73fe1 2007.0/x86_64/php-mcrypt-5.1.6-1.1mdv2007.0.x86_64.rpm 1b5bdc02b561134835c729fb404b0931 2007.0/x86_64/php-soap-5.1.6-1.2mdv2007.0.x86_64.rpm 06fef845a7f0eb15fbda8e01d2449759 2007.0/SRPMS/php-5.1.6-1.9mdv2007.0.src.rpm 1c4c5379d367dd0ba8c002d2a60eb8b1 2007.0/SRPMS/php-gd-5.1.6-1.3mdv2007.0.src.rpm 4b4382448f9be55ea66f8b910a12a97c 2007.0/SRPMS/php-mcrypt-5.1.6-1.1mdv2007.0.src.rpm c9e9b415eac3b864ffcece762c6aa6bb 2007.0/SRPMS/php-soap-5.1.6-1.2mdv2007.0.src.rpm Mandriva Linux 2007.1: cfb5ebca225920865fd41b8d7379ec04 2007.1/i586/libphp5_common5-5.2.1-4.3mdv2007.1.i586.rpm fd99e8fd1eba60464844111ba0bf658f 2007.1/i586/php-cgi-5.2.1-4.3mdv2007.1.i586.rpm d2d5ef2a6eb326c85e5e4e66d5488032 2007.1/i586/php-cli-5.2.1-4.3mdv2007.1.i586.rpm f8ff08caf4bf9d4b06c84dabf426ad4f 2007.1/i586/php-devel-5.2.1-4.3mdv2007.1.i586.rpm 0e362fc96f32b9046df73d01938f4a4f 2007.1/i586/php-fcgi-5.2.1-4.3mdv2007.1.i586.rpm 3796283e1a18abd35c66e9fdb7cecf84 2007.1/i586/php-gd-5.2.1-1.2mdv2007.1.i586.rpm 8303fdaff4f40f7025e84b9571db7557 2007.1/i586/php-mcrypt-5.2.1-1.1mdv2007.1.i586.rpm 765b7cff3e34bf6be0d31d5e11c6d21f 2007.1/i586/php-openssl-5.2.1-4.3mdv2007.1.i586.rpm 8ed091e407210049489fb70ba4f18e3f 2007.1/i586/php-soap-5.2.1-1.2mdv2007.1.i586.rpm 649f2efadad45640ca14f5ab644de67f 2007.1/i586/php-zlib-5.2.1-4.3mdv2007.1.i586.rpm 8779e5a26aecb35eaf93a5c54f35a798 2007.1/SRPMS/php-5.2.1-4.3mdv2007.1.src.rpm d16710089832ae31873c0db7e6df87fd 2007.1/SRPMS/php-gd-5.2.1-1.2mdv2007.1.src.rpm ec8b2d536f13c35dd2c2f1cca92c5694 2007.1/SRPMS/php-mcrypt-5.2.1-1.1mdv2007.1.src.rpm 90f9821184ef2fc8cca2a35e54080f44 2007.1/SRPMS/php-soap-5.2.1-1.2mdv2007.1.src.rpm Mandriva Linux 2007.1/X86_64: 4af5b6e98feeeb88b8993768c15497ce 2007.1/x86_64/lib64php5_common5-5.2.1-4.3mdv2007.1.x86_64.rpm f5e5fbb413e349ff9ae9e8e82a59dd92 2007.1/x86_64/php-cgi-5.2.1-4.3mdv2007.1.x86_64.rpm c93c070b38a3c2602dbfea38e648fea1 2007.1/x86_64/php-cli-5.2.1-4.3mdv2007.1.x86_64.rpm 5d7fa073092e6599eddaaffab5b4df4f 2007.1/x86_64/php-devel-5.2.1-4.3mdv2007.1.x86_64.rpm 0d593dad6f79e0331d1a9c7544d6fe42 2007.1/x86_64/php-fcgi-5.2.1-4.3mdv2007.1.x86_64.rpm 8652914b9aa256724004e12621111ce3 2007.1/x86_64/php-gd-5.2.1-1.2mdv2007.1.x86_64.rpm cc2993f0faf2d76eb317162162237049 2007.1/x86_64/php-mcrypt-5.2.1-1.1mdv2007.1.x86_64.rpm 2becb2e136e605d4b6fcbb80b8b96fdc 2007.1/x86_64/php-openssl-5.2.1-4.3mdv2007.1.x86_64.rpm 241a453a1007cc84f0f789b2a11bf96f 2007.1/x86_64/php-soap-5.2.1-1.2mdv2007.1.x86_64.rpm 58a30a4284944ed364d488338c6d4605 2007.1/x86_64/php-zlib-5.2.1-4.3mdv2007.1.x86_64.rpm 8779e5a26aecb35eaf93a5c54f35a798 2007.1/SRPMS/php-5.2.1-4.3mdv2007.1.src.rpm d16710089832ae31873c0db7e6df87fd 2007.1/SRPMS/php-gd-5.2.1-1.2mdv2007.1.src.rpm ec8b2d536f13c35dd2c2f1cca92c5694 2007.1/SRPMS/php-mcrypt-5.2.1-1.1mdv2007.1.src.rpm 90f9821184ef2fc8cca2a35e54080f44 2007.1/SRPMS/php-soap-5.2.1-1.2mdv2007.1.src.rpm Corporate 3.0: 247e24717edaad099d4dfac36d06da11 corporate/3.0/i586/libphp_common432-4.3.4-4.27.C30mdk.i586.rpm a2fe1080b8981493b83f6bb6c08a6f83 corporate/3.0/i586/php-cgi-4.3.4-4.27.C30mdk.i586.rpm 0468aa254c2495b128f4ea776b7100f7 corporate/3.0/i586/php-cli-4.3.4-4.27.C30mdk.i586.rpm 230476bcb71774884ec17ecbef336e5c corporate/3.0/i586/php-gd-4.3.4-1.7.C30mdk.i586.rpm 3cac8eecfdee304b0889fbe99958a6ca corporate/3.0/i586/php432-devel-4.3.4-4.27.C30mdk.i586.rpm 74c8bcac18b502174d270a0e2529d8e8 corporate/3.0/SRPMS/php-4.3.4-4.27.C30mdk.src.rpm 7db08e02ff0b4d59c58bbef5ff25a89b corporate/3.0/SRPMS/php-gd-4.3.4-1.7.C30mdk.src.rpm Corporate 3.0/X86_64: 54b38db5000d71f5f4cfe0d55ea8839d corporate/3.0/x86_64/lib64php_common432-4.3.4-4.27.C30mdk.x86_64.rpm e06d422dedbd7ff39eb86c8afdf23f8c corporate/3.0/x86_64/php-cgi-4.3.4-4.27.C30mdk.x86_64.rpm 66bea84020ec6231dbc345215b6398d4 corporate/3.0/x86_64/php-cli-4.3.4-4.27.C30mdk.x86_64.rpm 6e47af7339e7c939133d3bbab0b54c60 corporate/3.0/x86_64/php-gd-4.3.4-1.7.C30mdk.x86_64.rpm 9aa27728797f8a8b7fe6932237779dc1 corporate/3.0/x86_64/php432-devel-4.3.4-4.27.C30mdk.x86_64.rpm 74c8bcac18b502174d270a0e2529d8e8 corporate/3.0/SRPMS/php-4.3.4-4.27.C30mdk.src.rpm 7db08e02ff0b4d59c58bbef5ff25a89b corporate/3.0/SRPMS/php-gd-4.3.4-1.7.C30mdk.src.rpm Corporate 4.0: 6660cfe8b3e883412a9d138cb4776a17 corporate/4.0/i586/libphp4_common4-4.4.4-1.7.20060mlcs4.i586.rpm 0a43b956bf221f3dc6b534aed4c2c332 corporate/4.0/i586/libphp5_common5-5.1.6-1.8.20060mlcs4.i586.rpm d01223da70e8e3c6c17b0bd065cf4747 corporate/4.0/i586/php-cgi-5.1.6-1.8.20060mlcs4.i586.rpm 9cdf4d6ba4446811b0118126b31dd80b corporate/4.0/i586/php-cli-5.1.6-1.8.20060mlcs4.i586.rpm 6f486a6a19edef73ac2bc6aba2cf342a corporate/4.0/i586/php-devel-5.1.6-1.8.20060mlcs4.i586.rpm a126823de602fb9aecae42f052ab2827 corporate/4.0/i586/php-fcgi-5.1.6-1.8.20060mlcs4.i586.rpm 9c198b7e8a34c3e4d03f18174b2b1a84 corporate/4.0/i586/php-gd-5.1.6-1.3.20060mlcs4.i586.rpm b58d0518a5a44bdb26006df7b3d0b9f4 corporate/4.0/i586/php-mcrypt-5.1.6-1.1.20060mlcs4.i586.rpm c306da649d383d2ef0d4e568e8f77bd2 corporate/4.0/i586/php-soap-5.1.6-1.2.20060mlcs4.i586.rpm 6fbcf94c677317eaa73f2972afbece1c corporate/4.0/i586/php-zip-1.8.10-0.1.20060mlcs4.i586.rpm 473813677bb2f261182b53f6175908b8 corporate/4.0/i586/php4-cgi-4.4.4-1.7.20060mlcs4.i586.rpm 5c53c5fd3860246341522a47712b7d18 corporate/4.0/i586/php4-cli-4.4.4-1.7.20060mlcs4.i586.rpm 079851b5a916b27cb16aa4bde9bcd86e corporate/4.0/i586/php4-devel-4.4.4-1.7.20060mlcs4.i586.rpm cf0a080ecd0acb5e01f7e2e41ed3c76d corporate/4.0/i586/php4-gd-4.4.4-1.2.20060mlcs4.i586.rpm c2333bbae7d3a20b90a2e174f2caf5da corporate/4.0/i586/php4-mcrypt-4.4.4-1.1.20060mlcs4.i586.rpm b406cd54519867c9611c6c6700827457 corporate/4.0/SRPMS/php-5.1.6-1.8.20060mlcs4.src.rpm 491027bf3182f1f56e93e4d3a053d9e0 corporate/4.0/SRPMS/php-gd-5.1.6-1.3.20060mlcs4.src.rpm dd89eef4f40af9dff068c28bd56b4d5b corporate/4.0/SRPMS/php-mcrypt-5.1.6-1.1.20060mlcs4.src.rpm d7107b5be0e7768abad9c15cc8584ded corporate/4.0/SRPMS/php-soap-5.1.6-1.2.20060mlcs4.src.rpm f39e559d753bc59816d4106cd095d0db corporate/4.0/SRPMS/php-zip-1.8.10-0.1.20060mlcs4.src.rpm 1f1fd034cfd3d3f911315a34326d553e corporate/4.0/SRPMS/php4-4.4.4-1.7.20060mlcs4.src.rpm 00447503df74be2f96f4ec4f93de6694 corporate/4.0/SRPMS/php4-gd-4.4.4-1.2.20060mlcs4.src.rpm c005bcfb3c95e618ba5a4c928d5b75c7 corporate/4.0/SRPMS/php4-mcrypt-4.4.4-1.1.20060mlcs4.src.rpm Corporate 4.0/X86_64: d04a06f2a1d4c8d36b1ce3de6448577b corporate/4.0/x86_64/lib64php4_common4-4.4.4-1.7.20060mlcs4.x86_64.rpm b22d1122c842de135ddf34d331641da8 corporate/4.0/x86_64/lib64php5_common5-5.1.6-1.8.20060mlcs4.x86_64.rpm 9866242fb135cca7cf3e35e97f5178af corporate/4.0/x86_64/php-cgi-5.1.6-1.8.20060mlcs4.x86_64.rpm c68e05947bec3bb82e9d1d5c572f96d5 corporate/4.0/x86_64/php-cli-5.1.6-1.8.20060mlcs4.x86_64.rpm cf53b9aaef91d88655f9d74e3ff2aacb corporate/4.0/x86_64/php-devel-5.1.6-1.8.20060mlcs4.x86_64.rpm f8c251520d975a4010def1750fd8346d corporate/4.0/x86_64/php-fcgi-5.1.6-1.8.20060mlcs4.x86_64.rpm 5b34f8737e26d00f33c0328d763ab213 corporate/4.0/x86_64/php-gd-5.1.6-1.3.20060mlcs4.x86_64.rpm 758cf65ca6d0a4abebb902e0cba8a340 corporate/4.0/x86_64/php-mcrypt-5.1.6-1.1.20060mlcs4.x86_64.rpm 13bee1adbfe5e67c01ca731ea81dbdd9 corporate/4.0/x86_64/php-soap-5.1.6-1.2.20060mlcs4.x86_64.rpm 4c0b39d8927c6cb19e32befb0539680e corporate/4.0/x86_64/php-zip-1.8.10-0.1.20060mlcs4.x86_64.rpm 5ada3b423910e48a26c77a8cf95cc274 corporate/4.0/x86_64/php4-cgi-4.4.4-1.7.20060mlcs4.x86_64.rpm 84fae5bb1c27d7c4a6dcb7c29966e2ce corporate/4.0/x86_64/php4-cli-4.4.4-1.7.20060mlcs4.x86_64.rpm ccc04f5e1301a856a4d8e24bd36342cb corporate/4.0/x86_64/php4-devel-4.4.4-1.7.20060mlcs4.x86_64.rpm 0eafa187fc47d54782cba69a73d500f8 corporate/4.0/x86_64/php4-gd-4.4.4-1.2.20060mlcs4.x86_64.rpm 17f6a6e9ff9cb623ba5538c46571fce5 corporate/4.0/x86_64/php4-mcrypt-4.4.4-1.1.20060mlcs4.x86_64.rpm b406cd54519867c9611c6c6700827457 corporate/4.0/SRPMS/php-5.1.6-1.8.20060mlcs4.src.rpm 491027bf3182f1f56e93e4d3a053d9e0 corporate/4.0/SRPMS/php-gd-5.1.6-1.3.20060mlcs4.src.rpm dd89eef4f40af9dff068c28bd56b4d5b corporate/4.0/SRPMS/php-mcrypt-5.1.6-1.1.20060mlcs4.src.rpm d7107b5be0e7768abad9c15cc8584ded corporate/4.0/SRPMS/php-soap-5.1.6-1.2.20060mlcs4.src.rpm f39e559d753bc59816d4106cd095d0db corporate/4.0/SRPMS/php-zip-1.8.10-0.1.20060mlcs4.src.rpm 1f1fd034cfd3d3f911315a34326d553e corporate/4.0/SRPMS/php4-4.4.4-1.7.20060mlcs4.src.rpm 00447503df74be2f96f4ec4f93de6694 corporate/4.0/SRPMS/php4-gd-4.4.4-1.2.20060mlcs4.src.rpm c005bcfb3c95e618ba5a4c928d5b75c7 corporate/4.0/SRPMS/php4-mcrypt-4.4.4-1.1.20060mlcs4.src.rpm Multi Network Firewall 2.0: 4a0e9e73f51d6118c3580b9f556c0a2d mnf/2.0/i586/libphp_common432-4.3.4-4.27.C30mdk.i586.rpm f4698dd4eb9c4c9e12528c70cf458e7f mnf/2.0/i586/php-cgi-4.3.4-4.27.C30mdk.i586.rpm 91e6914a490349580511f216a8220c86 mnf/2.0/i586/php-cli-4.3.4-4.27.C30mdk.i586.rpm b5655d8d54a14d9f5cdb56246ddad2e3 mnf/2.0/i586/php-gd-4.3.4-1.7.C30mdk.i586.rpm 752e636b31d84df4b9283fc56b60ef5b mnf/2.0/i586/php432-devel-4.3.4-4.27.C30mdk.i586.rpm dba539a2cc542b14898bea508291fb93 mnf/2.0/SRPMS/php-4.3.4-4.27.C30mdk.src.rpm 86dacced331afeb19a375cdcd5ade744 mnf/2.0/SRPMS/php-gd-4.3.4-1.7.C30mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFG9CU6mqjQ0CJFipgRAs8RAKDsqCO/QPqLczFFlIVUz3pfMnFdUwCePmkK vvRjTT2T2agDRpYmZWKYhFs= =4TWc -----END PGP SIGNATURE-----