--------------------------------------------------------------------- Red Hat, Inc. Red Hat Security Advisory Synopsis: Updated PHP packages are available Advisory ID: RHSA-2002:035-13 Issue date: 2002-02-27 Updated on: 2002-02-27 Product: Red Hat Linux Keywords: PHP remote exploit mulitpart MIME Cross references: Obsoletes: RHSA-2000:088 RHSA-2000:136 --------------------------------------------------------------------- 1. Topic: Updated PHP packages are available to fix vulnerabilities in the functions that parse multipart MIME data, which are used when uploading files through forms. 2. Relevant releases/architectures: Red Hat Linux 6.2 - alpha, i386, sparc Red Hat Linux 7.0 - alpha, i386 Red Hat Linux 7.1 - alpha, i386, ia64 Red Hat Linux 7.2 - i386, ia64, s390 3. Problem description: PHP is an HTML-embeddable scripting language. A number of flaws have been found in the way PHP handles multipart/form-data POST requests. Each of these flaws could allow an attacker to execute arbitrary code on the remote system. PHP 3.10-3.18 contains a broken boundary check (hard to exploit) and an arbitrary heap overflow (easy to exploit). These versions of PHP were shipped with Red Hat Linux 6.2. PHP 4.0.1-4.0.3pl1 contains a broken boundary check (hard to exploit) and a heap-off-by-one (easy to exploit). These versions of PHP were shipped with Red Hat Linux 7.0. PHP 4.0.2-4.0.5 contains two broken boundary checks (one very easy and one hard to exploit). These versions of PHP were shipped with Red Hat Linux 7.1 and as erratas to 7.0. PHP 4.0.6-4.0.7RC2 contains a broken boundary check (very easy to exploit). These versions of PHP were shipped with Red Hat Linux 7.2 The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0081 to this issue. If you are running PHP 4.0.3 or above, one way to work around these bugs is to disable the fileupload support within your php.ini file (by setting file_uploads = Off). All users of PHP are advised to immediately upgrade to these errata packages which close these vulnerabilities. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. After applying these updates you will need to restart your web server if it was running before the update was applied. 5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info): 6. RPMs required: Red Hat Linux 6.2: SRPMS: ftp://updates.redhat.com/6.2/en/os/SRPMS/php-3.0.18-8.src.rpm alpha: ftp://updates.redhat.com/6.2/en/os/alpha/php-3.0.18-8.alpha.rpm ftp://updates.redhat.com/6.2/en/os/alpha/php-manual-3.0.18-8.alpha.rpm ftp://updates.redhat.com/6.2/en/os/alpha/php-pgsql-3.0.18-8.alpha.rpm ftp://updates.redhat.com/6.2/en/os/alpha/php-imap-3.0.18-8.alpha.rpm ftp://updates.redhat.com/6.2/en/os/alpha/php-ldap-3.0.18-8.alpha.rpm i386: ftp://updates.redhat.com/6.2/en/os/i386/php-3.0.18-8.i386.rpm ftp://updates.redhat.com/6.2/en/os/i386/php-manual-3.0.18-8.i386.rpm ftp://updates.redhat.com/6.2/en/os/i386/php-pgsql-3.0.18-8.i386.rpm ftp://updates.redhat.com/6.2/en/os/i386/php-imap-3.0.18-8.i386.rpm ftp://updates.redhat.com/6.2/en/os/i386/php-ldap-3.0.18-8.i386.rpm sparc: ftp://updates.redhat.com/6.2/en/os/sparc/php-3.0.18-8.sparc.rpm ftp://updates.redhat.com/6.2/en/os/sparc/php-manual-3.0.18-8.sparc.rpm ftp://updates.redhat.com/6.2/en/os/sparc/php-pgsql-3.0.18-8.sparc.rpm ftp://updates.redhat.com/6.2/en/os/sparc/php-imap-3.0.18-8.sparc.rpm ftp://updates.redhat.com/6.2/en/os/sparc/php-ldap-3.0.18-8.sparc.rpm Red Hat Linux 7.0: SRPMS: ftp://updates.redhat.com/7.0/en/os/SRPMS/php-4.0.6-9.7.0.src.rpm alpha: ftp://updates.redhat.com/7.0/en/os/alpha/php-4.0.6-9.7.0.alpha.rpm ftp://updates.redhat.com/7.0/en/os/alpha/php-devel-4.0.6-9.7.0.alpha.rpm ftp://updates.redhat.com/7.0/en/os/alpha/php-imap-4.0.6-9.7.0.alpha.rpm ftp://updates.redhat.com/7.0/en/os/alpha/php-ldap-4.0.6-9.7.0.alpha.rpm ftp://updates.redhat.com/7.0/en/os/alpha/php-manual-4.0.6-9.7.0.alpha.rpm ftp://updates.redhat.com/7.0/en/os/alpha/php-mysql-4.0.6-9.7.0.alpha.rpm ftp://updates.redhat.com/7.0/en/os/alpha/php-pgsql-4.0.6-9.7.0.alpha.rpm i386: ftp://updates.redhat.com/7.0/en/os/i386/php-4.0.6-9.7.0.i386.rpm ftp://updates.redhat.com/7.0/en/os/i386/php-devel-4.0.6-9.7.0.i386.rpm ftp://updates.redhat.com/7.0/en/os/i386/php-imap-4.0.6-9.7.0.i386.rpm ftp://updates.redhat.com/7.0/en/os/i386/php-ldap-4.0.6-9.7.0.i386.rpm ftp://updates.redhat.com/7.0/en/os/i386/php-manual-4.0.6-9.7.0.i386.rpm ftp://updates.redhat.com/7.0/en/os/i386/php-mysql-4.0.6-9.7.0.i386.rpm ftp://updates.redhat.com/7.0/en/os/i386/php-pgsql-4.0.6-9.7.0.i386.rpm Red Hat Linux 7.1: SRPMS: ftp://updates.redhat.com/7.1/en/os/SRPMS/php-4.0.6-9.7.1.src.rpm alpha: ftp://updates.redhat.com/7.1/en/os/alpha/php-4.0.6-9.7.1.alpha.rpm ftp://updates.redhat.com/7.1/en/os/alpha/php-devel-4.0.6-9.7.1.alpha.rpm ftp://updates.redhat.com/7.1/en/os/alpha/php-imap-4.0.6-9.7.1.alpha.rpm ftp://updates.redhat.com/7.1/en/os/alpha/php-ldap-4.0.6-9.7.1.alpha.rpm ftp://updates.redhat.com/7.1/en/os/alpha/php-manual-4.0.6-9.7.1.alpha.rpm ftp://updates.redhat.com/7.1/en/os/alpha/php-mysql-4.0.6-9.7.1.alpha.rpm ftp://updates.redhat.com/7.1/en/os/alpha/php-pgsql-4.0.6-9.7.1.alpha.rpm i386: ftp://updates.redhat.com/7.1/en/os/i386/php-4.0.6-9.7.1.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/php-devel-4.0.6-9.7.1.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/php-imap-4.0.6-9.7.1.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/php-ldap-4.0.6-9.7.1.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/php-manual-4.0.6-9.7.1.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/php-mysql-4.0.6-9.7.1.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/php-pgsql-4.0.6-9.7.1.i386.rpm ia64: ftp://updates.redhat.com/7.1/en/os/ia64/php-4.0.6-9.7.1.ia64.rpm ftp://updates.redhat.com/7.1/en/os/ia64/php-devel-4.0.6-9.7.1.ia64.rpm ftp://updates.redhat.com/7.1/en/os/ia64/php-imap-4.0.6-9.7.1.ia64.rpm ftp://updates.redhat.com/7.1/en/os/ia64/php-ldap-4.0.6-9.7.1.ia64.rpm ftp://updates.redhat.com/7.1/en/os/ia64/php-manual-4.0.6-9.7.1.ia64.rpm ftp://updates.redhat.com/7.1/en/os/ia64/php-mysql-4.0.6-9.7.1.ia64.rpm ftp://updates.redhat.com/7.1/en/os/ia64/php-pgsql-4.0.6-9.7.1.ia64.rpm Red Hat Linux 7.2: SRPMS: ftp://updates.redhat.com/7.2/en/os/SRPMS/php-4.0.6-12.src.rpm i386: ftp://updates.redhat.com/7.2/en/os/i386/php-4.0.6-12.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/php-devel-4.0.6-12.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/php-imap-4.0.6-12.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/php-ldap-4.0.6-12.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/php-manual-4.0.6-12.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/php-mysql-4.0.6-12.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/php-odbc-4.0.6-12.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/php-pgsql-4.0.6-12.i386.rpm ia64: ftp://updates.redhat.com/7.2/en/os/ia64/php-4.0.6-12.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/php-devel-4.0.6-12.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/php-imap-4.0.6-12.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/php-ldap-4.0.6-12.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/php-manual-4.0.6-12.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/php-mysql-4.0.6-12.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/php-odbc-4.0.6-12.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/php-pgsql-4.0.6-12.ia64.rpm 7. Verification: MD5 sum Package Name -------------------------------------------------------------------------- f07b6317aee9ade09625a8166641edc7 6.2/en/os/SRPMS/php-3.0.18-8.src.rpm c56a2c896756ce982e14b329ee122c97 6.2/en/os/alpha/php-3.0.18-8.alpha.rpm 1a14f54cf642e41b6474f7bd8d89b4b7 6.2/en/os/alpha/php-imap-3.0.18-8.alpha.rpm 90244d18f76ce2f254e946edcb28e4b9 6.2/en/os/alpha/php-ldap-3.0.18-8.alpha.rpm 7b05bacc07896a17866cbe73b9c37eba 6.2/en/os/alpha/php-manual-3.0.18-8.alpha.rpm 1266ab137b0fb24e7447683e9100c501 6.2/en/os/alpha/php-pgsql-3.0.18-8.alpha.rpm f4219464571e14737e1e5e3d414ae5d2 6.2/en/os/i386/php-3.0.18-8.i386.rpm 9e4250f304c8832a0d0e99d98109f59c 6.2/en/os/i386/php-imap-3.0.18-8.i386.rpm 31630b40f901d1617cfe0fce4a2e14df 6.2/en/os/i386/php-ldap-3.0.18-8.i386.rpm 78ade58fa6517548264f21996bf799a3 6.2/en/os/i386/php-manual-3.0.18-8.i386.rpm c4985d7263824fd4c837f997605afff2 6.2/en/os/i386/php-pgsql-3.0.18-8.i386.rpm 08e4722c97645d8bde860ff0b9dbb48c 6.2/en/os/sparc/php-3.0.18-8.sparc.rpm 17d9aaac1927e3dd631dfd26fd75e25e 6.2/en/os/sparc/php-imap-3.0.18-8.sparc.rpm 4f9a316f188315dddc6d2d7b3f643abc 6.2/en/os/sparc/php-ldap-3.0.18-8.sparc.rpm f7783e877972c2cd4a8c91574fef4655 6.2/en/os/sparc/php-manual-3.0.18-8.sparc.rpm b2ac8533b51b8a63db12cee2e334bc70 6.2/en/os/sparc/php-pgsql-3.0.18-8.sparc.rpm 984cf05e255e5dba84756f43089ad41d 7.0/en/os/SRPMS/php-4.0.6-9.7.0.src.rpm 23f5e948527d86906c1c0b5c14394443 7.0/en/os/alpha/php-4.0.6-9.7.0.alpha.rpm 27046892357d213bb07af47462dbb2e8 7.0/en/os/alpha/php-devel-4.0.6-9.7.0.alpha.rpm 60059adcebffe32f7aa42f40ded0ccd6 7.0/en/os/alpha/php-imap-4.0.6-9.7.0.alpha.rpm 66a9241666dfac55076483446a46c656 7.0/en/os/alpha/php-ldap-4.0.6-9.7.0.alpha.rpm efd1b02def9b37c003111b32fd951c47 7.0/en/os/alpha/php-manual-4.0.6-9.7.0.alpha.rpm 5cedcc04933ef82c06de866591bb14b9 7.0/en/os/alpha/php-mysql-4.0.6-9.7.0.alpha.rpm 6d41072e5482e5c4ecd72dc20a380608 7.0/en/os/alpha/php-pgsql-4.0.6-9.7.0.alpha.rpm c51cae878dbd0ddb59f293bb2b74576a 7.0/en/os/i386/php-4.0.6-9.7.0.i386.rpm ece39ce64f13090908e1e724e8ac20c2 7.0/en/os/i386/php-devel-4.0.6-9.7.0.i386.rpm ddf79ef25cef397db6b375e55ec72461 7.0/en/os/i386/php-imap-4.0.6-9.7.0.i386.rpm aa7f45c1bdd74ba24cc478227d1231ef 7.0/en/os/i386/php-ldap-4.0.6-9.7.0.i386.rpm a09113571cdf2b494587cdf5d0e3b94e 7.0/en/os/i386/php-manual-4.0.6-9.7.0.i386.rpm 184160c5c02313d3b00ccb35f440308b 7.0/en/os/i386/php-mysql-4.0.6-9.7.0.i386.rpm a26becd661ccc40b073133205494ed31 7.0/en/os/i386/php-pgsql-4.0.6-9.7.0.i386.rpm 13e044d5838ca92e87a6c75422f1dcfa 7.1/en/os/SRPMS/php-4.0.6-9.7.1.src.rpm bf4fd0046038fdf77d73be0569a04c1a 7.1/en/os/alpha/php-4.0.6-9.7.1.alpha.rpm 8aee7e333ab227ca9d8e03ecfea81b12 7.1/en/os/alpha/php-devel-4.0.6-9.7.1.alpha.rpm 80b146826658d08d84ae5d6fb8653f0a 7.1/en/os/alpha/php-imap-4.0.6-9.7.1.alpha.rpm 77224698038db01686f2e078332db3df 7.1/en/os/alpha/php-ldap-4.0.6-9.7.1.alpha.rpm 5b70392e70416ca43699e082bc080606 7.1/en/os/alpha/php-manual-4.0.6-9.7.1.alpha.rpm a318eecc9ee831d76b2565dd029ab544 7.1/en/os/alpha/php-mysql-4.0.6-9.7.1.alpha.rpm a0aceadd726fb8e4003b8e82488c6460 7.1/en/os/alpha/php-pgsql-4.0.6-9.7.1.alpha.rpm a3886ccade78602bc997513289f3ea48 7.1/en/os/i386/php-4.0.6-9.7.1.i386.rpm 32e7d5a1b44a5b1f41d2f392dce873ab 7.1/en/os/i386/php-devel-4.0.6-9.7.1.i386.rpm 0cebe302673d264ba98ca5eb5a336386 7.1/en/os/i386/php-imap-4.0.6-9.7.1.i386.rpm 108a196736b34d28f4cee176da65c326 7.1/en/os/i386/php-ldap-4.0.6-9.7.1.i386.rpm fabc969a08a7f268f74e18d1dfca87a1 7.1/en/os/i386/php-manual-4.0.6-9.7.1.i386.rpm 8ebdf9dcfa1677667c5e9846df68708c 7.1/en/os/i386/php-mysql-4.0.6-9.7.1.i386.rpm 90793e84d6689d25d3a242d0e75f5b67 7.1/en/os/i386/php-pgsql-4.0.6-9.7.1.i386.rpm 467c5b32df73a82a3b4a5e69dac14a3d 7.1/en/os/ia64/php-4.0.6-9.7.1.ia64.rpm 1e4fbc2380f0f68b5384b8523c524a46 7.1/en/os/ia64/php-devel-4.0.6-9.7.1.ia64.rpm 82c5fc25016e739099689267369172e4 7.1/en/os/ia64/php-imap-4.0.6-9.7.1.ia64.rpm 5d5d488f11e431fa18782c69f0f7a143 7.1/en/os/ia64/php-ldap-4.0.6-9.7.1.ia64.rpm 3abf84cd5f344cf8b14226b47474bc2e 7.1/en/os/ia64/php-manual-4.0.6-9.7.1.ia64.rpm 9c502c398208c15b6b9d9c5467b4a620 7.1/en/os/ia64/php-mysql-4.0.6-9.7.1.ia64.rpm 5ad2b0aa07efaff0d2f93c38e238cbe2 7.1/en/os/ia64/php-pgsql-4.0.6-9.7.1.ia64.rpm 0115ad07854838a15cfea42e5cef3002 7.2/en/os/SRPMS/php-4.0.6-12.src.rpm 54fa818f60d7dd918ae05c598a6c9308 7.2/en/os/i386/php-4.0.6-12.i386.rpm b7332d143c4cab1dc69eecdb7796e1c0 7.2/en/os/i386/php-devel-4.0.6-12.i386.rpm ed11518798bdecd13996e5e7a04a1b78 7.2/en/os/i386/php-imap-4.0.6-12.i386.rpm ec94a9b7770d43dc698dc3298aee8d02 7.2/en/os/i386/php-ldap-4.0.6-12.i386.rpm b8a4de8035343527c545c8823c39ff2e 7.2/en/os/i386/php-manual-4.0.6-12.i386.rpm 72c68100743a945adfb2b8486dafca65 7.2/en/os/i386/php-mysql-4.0.6-12.i386.rpm daf507853a3a894a9e558b5559d3d27b 7.2/en/os/i386/php-odbc-4.0.6-12.i386.rpm 179026b54d77cc23a79e3e708db0648b 7.2/en/os/i386/php-pgsql-4.0.6-12.i386.rpm b4b5d57a278022c02842feffb29e939e 7.2/en/os/ia64/php-4.0.6-12.ia64.rpm 5ce8d950d8fc280077f1843a61f248f9 7.2/en/os/ia64/php-devel-4.0.6-12.ia64.rpm 2aeb47f34004bc84b401306f50326e99 7.2/en/os/ia64/php-imap-4.0.6-12.ia64.rpm 955fe4bfde4021e792bd7c69d9e89482 7.2/en/os/ia64/php-ldap-4.0.6-12.ia64.rpm 4a995a96fdadc689c4ea9849900e12e0 7.2/en/os/ia64/php-manual-4.0.6-12.ia64.rpm 7015803c8d5b7d0d9327186c50b8263b 7.2/en/os/ia64/php-mysql-4.0.6-12.ia64.rpm 9867768b827a91939e5d426b15637861 7.2/en/os/ia64/php-odbc-4.0.6-12.ia64.rpm fc602be9288f8d743525698fa839b766 7.2/en/os/ia64/php-pgsql-4.0.6-12.ia64.rpm These packages are GPG signed by Red Hat, Inc. for security. Our key is available at: http://www.redhat.com/about/contact/pgpkey.html You can verify each package with the following command: rpm --checksig <filename> If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: rpm --checksig --nogpg <filename> 8. References: http://security.e-matters.de/advisories/012002.html http://www.kb.cert.org/vuls/id/297363 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0081 Copyright(c) 2000, 2001 Red Hat, Inc.