--------------------------------------------------------------------- Red Hat, Inc. Red Hat Security Advisory Synopsis: Updated PHP packages are available [updated 2002-Mar-11] Advisory ID: RHSA-2002:035-18 Issue date: 2002-02-27 Updated on: 2002-03-21 Product: Red Hat Linux Keywords: PHP remote exploit mulitpart MIME Cross references: Obsoletes: RHSA-2000:088 RHSA-2000:136 --------------------------------------------------------------------- 1. Topic: Updated PHP packages are available to fix vulnerabilities in the functions that parse multipart MIME data, which are used when uploading files through forms. This revised advisory contains updated packages for Red Hat Linux 7, 7.1, and 7.2. 2. Relevant releases/architectures: Red Hat Linux 6.2 - alpha, i386, sparc Red Hat Linux 7.0 - alpha, i386 Red Hat Linux 7.1 - alpha, i386, ia64 Red Hat Linux 7.2 - i386, ia64, s390 3. Problem description: PHP is an HTML-embeddable scripting language. A number of flaws have been found in the way PHP handles multipart/form-data POST requests. Each of these flaws could allow an attacker to execute arbitrary code on the remote system. PHP 3.10-3.18 contains a broken boundary check (hard to exploit) and an arbitrary heap overflow (easy to exploit). These versions of PHP were shipped with Red Hat Linux 6.2. PHP 4.0.1-4.0.3pl1 contains a broken boundary check (hard to exploit) and a heap-off-by-one (easy to exploit). These versions of PHP were shipped with Red Hat Linux 7.0. PHP 4.0.2-4.0.5 contains two broken boundary checks (one very easy and one hard to exploit). These versions of PHP were shipped with Red Hat Linux 7.1 and as erratas to 7.0. PHP 4.0.6-4.0.7RC2 contains a broken boundary check (very easy to exploit). These versions of PHP were shipped with Red Hat Linux 7.2 The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0081 to this issue. If you are running PHP 4.0.3 or above, one way to work around these bugs is to disable the fileupload support within your php.ini file (by setting file_uploads = Off). All users of PHP are advised to immediately upgrade to these errata packages which close these vulnerabilities. A previous version of this erratum included a version of the MySQL extension which was compiled with an incorrect default pathname for the socket used to connect to database servers residing on the local host. This setting corresponds to the mysql.default_socket setting in the /etc/php.ini file, and can also be corrected there. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. After applying these updates you will need to restart your web server if it was running before the update was applied. 5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info): 6. RPMs required: Red Hat Linux 6.2: SRPMS: ftp://updates.redhat.com/6.2/en/os/SRPMS/php-3.0.18-8.src.rpm alpha: ftp://updates.redhat.com/6.2/en/os/alpha/php-3.0.18-8.alpha.rpm ftp://updates.redhat.com/6.2/en/os/alpha/php-manual-3.0.18-8.alpha.rpm ftp://updates.redhat.com/6.2/en/os/alpha/php-pgsql-3.0.18-8.alpha.rpm ftp://updates.redhat.com/6.2/en/os/alpha/php-imap-3.0.18-8.alpha.rpm ftp://updates.redhat.com/6.2/en/os/alpha/php-ldap-3.0.18-8.alpha.rpm i386: ftp://updates.redhat.com/6.2/en/os/i386/php-3.0.18-8.i386.rpm ftp://updates.redhat.com/6.2/en/os/i386/php-manual-3.0.18-8.i386.rpm ftp://updates.redhat.com/6.2/en/os/i386/php-pgsql-3.0.18-8.i386.rpm ftp://updates.redhat.com/6.2/en/os/i386/php-imap-3.0.18-8.i386.rpm ftp://updates.redhat.com/6.2/en/os/i386/php-ldap-3.0.18-8.i386.rpm sparc: ftp://updates.redhat.com/6.2/en/os/sparc/php-3.0.18-8.sparc.rpm ftp://updates.redhat.com/6.2/en/os/sparc/php-manual-3.0.18-8.sparc.rpm ftp://updates.redhat.com/6.2/en/os/sparc/php-pgsql-3.0.18-8.sparc.rpm ftp://updates.redhat.com/6.2/en/os/sparc/php-imap-3.0.18-8.sparc.rpm ftp://updates.redhat.com/6.2/en/os/sparc/php-ldap-3.0.18-8.sparc.rpm Red Hat Linux 7.0: SRPMS: ftp://updates.redhat.com/7.0/en/os/SRPMS/php-4.0.6-13.src.rpm alpha: ftp://updates.redhat.com/7.0/en/os/alpha/php-4.0.6-13.alpha.rpm ftp://updates.redhat.com/7.0/en/os/alpha/php-devel-4.0.6-13.alpha.rpm ftp://updates.redhat.com/7.0/en/os/alpha/php-imap-4.0.6-13.alpha.rpm ftp://updates.redhat.com/7.0/en/os/alpha/php-ldap-4.0.6-13.alpha.rpm ftp://updates.redhat.com/7.0/en/os/alpha/php-manual-4.0.6-13.alpha.rpm ftp://updates.redhat.com/7.0/en/os/alpha/php-mysql-4.0.6-13.alpha.rpm ftp://updates.redhat.com/7.0/en/os/alpha/php-odbc-4.0.6-13.alpha.rpm ftp://updates.redhat.com/7.0/en/os/alpha/php-pgsql-4.0.6-13.alpha.rpm i386: ftp://updates.redhat.com/7.0/en/os/i386/php-4.0.6-13.i386.rpm ftp://updates.redhat.com/7.0/en/os/i386/php-devel-4.0.6-13.i386.rpm ftp://updates.redhat.com/7.0/en/os/i386/php-imap-4.0.6-13.i386.rpm ftp://updates.redhat.com/7.0/en/os/i386/php-ldap-4.0.6-13.i386.rpm ftp://updates.redhat.com/7.0/en/os/i386/php-manual-4.0.6-13.i386.rpm ftp://updates.redhat.com/7.0/en/os/i386/php-mysql-4.0.6-13.i386.rpm ftp://updates.redhat.com/7.0/en/os/i386/php-odbc-4.0.6-13.i386.rpm ftp://updates.redhat.com/7.0/en/os/i386/php-pgsql-4.0.6-13.i386.rpm Red Hat Linux 7.1: SRPMS: ftp://updates.redhat.com/7.1/en/os/SRPMS/php-4.0.6-14.src.rpm alpha: ftp://updates.redhat.com/7.1/en/os/alpha/php-4.0.6-14.alpha.rpm ftp://updates.redhat.com/7.1/en/os/alpha/php-devel-4.0.6-14.alpha.rpm ftp://updates.redhat.com/7.1/en/os/alpha/php-imap-4.0.6-14.alpha.rpm ftp://updates.redhat.com/7.1/en/os/alpha/php-ldap-4.0.6-14.alpha.rpm ftp://updates.redhat.com/7.1/en/os/alpha/php-manual-4.0.6-14.alpha.rpm ftp://updates.redhat.com/7.1/en/os/alpha/php-mysql-4.0.6-14.alpha.rpm ftp://updates.redhat.com/7.1/en/os/alpha/php-odbc-4.0.6-14.alpha.rpm ftp://updates.redhat.com/7.1/en/os/alpha/php-pgsql-4.0.6-14.alpha.rpm i386: ftp://updates.redhat.com/7.1/en/os/i386/php-4.0.6-14.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/php-devel-4.0.6-14.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/php-imap-4.0.6-14.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/php-ldap-4.0.6-14.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/php-manual-4.0.6-14.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/php-mysql-4.0.6-14.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/php-odbc-4.0.6-14.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/php-pgsql-4.0.6-14.i386.rpm ia64: ftp://updates.redhat.com/7.1/en/os/ia64/php-4.0.6-14.ia64.rpm ftp://updates.redhat.com/7.1/en/os/ia64/php-devel-4.0.6-14.ia64.rpm ftp://updates.redhat.com/7.1/en/os/ia64/php-imap-4.0.6-14.ia64.rpm ftp://updates.redhat.com/7.1/en/os/ia64/php-ldap-4.0.6-14.ia64.rpm ftp://updates.redhat.com/7.1/en/os/ia64/php-manual-4.0.6-14.ia64.rpm ftp://updates.redhat.com/7.1/en/os/ia64/php-mysql-4.0.6-14.ia64.rpm ftp://updates.redhat.com/7.1/en/os/ia64/php-odbc-4.0.6-14.ia64.rpm ftp://updates.redhat.com/7.1/en/os/ia64/php-pgsql-4.0.6-14.ia64.rpm Red Hat Linux 7.2: SRPMS: ftp://updates.redhat.com/7.2/en/os/SRPMS/php-4.0.6-15.src.rpm i386: ftp://updates.redhat.com/7.2/en/os/i386/php-4.0.6-15.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/php-devel-4.0.6-15.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/php-imap-4.0.6-15.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/php-ldap-4.0.6-15.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/php-manual-4.0.6-15.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/php-mysql-4.0.6-15.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/php-odbc-4.0.6-15.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/php-pgsql-4.0.6-15.i386.rpm ia64: ftp://updates.redhat.com/7.2/en/os/ia64/php-4.0.6-15.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/php-devel-4.0.6-15.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/php-imap-4.0.6-15.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/php-ldap-4.0.6-15.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/php-manual-4.0.6-15.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/php-mysql-4.0.6-15.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/php-odbc-4.0.6-15.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/php-pgsql-4.0.6-15.ia64.rpm 7. Verification: MD5 sum Package Name -------------------------------------------------------------------------- f07b6317aee9ade09625a8166641edc7 6.2/en/os/SRPMS/php-3.0.18-8.src.rpm c56a2c896756ce982e14b329ee122c97 6.2/en/os/alpha/php-3.0.18-8.alpha.rpm 1a14f54cf642e41b6474f7bd8d89b4b7 6.2/en/os/alpha/php-imap-3.0.18-8.alpha.rpm 90244d18f76ce2f254e946edcb28e4b9 6.2/en/os/alpha/php-ldap-3.0.18-8.alpha.rpm 7b05bacc07896a17866cbe73b9c37eba 6.2/en/os/alpha/php-manual-3.0.18-8.alpha.rpm 1266ab137b0fb24e7447683e9100c501 6.2/en/os/alpha/php-pgsql-3.0.18-8.alpha.rpm f4219464571e14737e1e5e3d414ae5d2 6.2/en/os/i386/php-3.0.18-8.i386.rpm 9e4250f304c8832a0d0e99d98109f59c 6.2/en/os/i386/php-imap-3.0.18-8.i386.rpm 31630b40f901d1617cfe0fce4a2e14df 6.2/en/os/i386/php-ldap-3.0.18-8.i386.rpm 78ade58fa6517548264f21996bf799a3 6.2/en/os/i386/php-manual-3.0.18-8.i386.rpm c4985d7263824fd4c837f997605afff2 6.2/en/os/i386/php-pgsql-3.0.18-8.i386.rpm 08e4722c97645d8bde860ff0b9dbb48c 6.2/en/os/sparc/php-3.0.18-8.sparc.rpm 17d9aaac1927e3dd631dfd26fd75e25e 6.2/en/os/sparc/php-imap-3.0.18-8.sparc.rpm 4f9a316f188315dddc6d2d7b3f643abc 6.2/en/os/sparc/php-ldap-3.0.18-8.sparc.rpm f7783e877972c2cd4a8c91574fef4655 6.2/en/os/sparc/php-manual-3.0.18-8.sparc.rpm b2ac8533b51b8a63db12cee2e334bc70 6.2/en/os/sparc/php-pgsql-3.0.18-8.sparc.rpm bb29d69be271e9392ac5d7927bb5898b 7.0/en/os/SRPMS/php-4.0.6-13.src.rpm 0b712264f703cbeb1ec8bfd4aef472fc 7.0/en/os/alpha/php-4.0.6-13.alpha.rpm 6ad1e3760f43c0bc6565aeb0e3e893c4 7.0/en/os/alpha/php-devel-4.0.6-13.alpha.rpm a591f97833ef17101dcdf4d3a83afca8 7.0/en/os/alpha/php-imap-4.0.6-13.alpha.rpm 71c2a9c5ac2110886a40fc95531bbc9b 7.0/en/os/alpha/php-ldap-4.0.6-13.alpha.rpm 0340411a93de40a1adf9399cf4250f98 7.0/en/os/alpha/php-manual-4.0.6-13.alpha.rpm a867a755350bdb973ca9bb6715d8ee02 7.0/en/os/alpha/php-mysql-4.0.6-13.alpha.rpm 85f509ab6df2eeff3598ee83a00a4894 7.0/en/os/alpha/php-odbc-4.0.6-13.alpha.rpm 00181ed29d93b2b58b0b80898c15b4db 7.0/en/os/alpha/php-pgsql-4.0.6-13.alpha.rpm af89043ea355c15f56b956851d0aa4d5 7.0/en/os/i386/php-4.0.6-13.i386.rpm df120a36632bfefed5e8214c103153c8 7.0/en/os/i386/php-devel-4.0.6-13.i386.rpm 954c496e71a391754431e604fea27d3a 7.0/en/os/i386/php-imap-4.0.6-13.i386.rpm fe6a47d82357ff4b2f2ecb3c4b5b9263 7.0/en/os/i386/php-ldap-4.0.6-13.i386.rpm 6494c2fe238beb90e8f5d374bef78b82 7.0/en/os/i386/php-manual-4.0.6-13.i386.rpm c9756317b0164b5a9eb4e598233f6603 7.0/en/os/i386/php-mysql-4.0.6-13.i386.rpm 0d219a74f9a603faa6bec0d6cae404ff 7.0/en/os/i386/php-odbc-4.0.6-13.i386.rpm b31f9833aa9de5fb146bd7b0d83d3447 7.0/en/os/i386/php-pgsql-4.0.6-13.i386.rpm 744b77f8a3cc55a27d4d60ab7981c535 7.1/en/os/SRPMS/php-4.0.6-14.src.rpm c050178fb44e084ff22c5df45313e4c5 7.1/en/os/alpha/php-4.0.6-14.alpha.rpm 20aec96fa6f11d258e7341364c7267fe 7.1/en/os/alpha/php-devel-4.0.6-14.alpha.rpm 0efbcddd0fece2113f11b4d73ed8fe7d 7.1/en/os/alpha/php-imap-4.0.6-14.alpha.rpm 4c312b08af6779ec7d232f6d5ee48110 7.1/en/os/alpha/php-ldap-4.0.6-14.alpha.rpm 46847ebec323ce1eee75f94a5e211ff9 7.1/en/os/alpha/php-manual-4.0.6-14.alpha.rpm 59ef323131bed33623b9e1fba289ed2f 7.1/en/os/alpha/php-mysql-4.0.6-14.alpha.rpm 9fbcb899edc3541018ec122c40576ff5 7.1/en/os/alpha/php-odbc-4.0.6-14.alpha.rpm e278989038dc0f87936569846aa293fc 7.1/en/os/alpha/php-pgsql-4.0.6-14.alpha.rpm dc1140d7f7b18781d672e309dd7ca04b 7.1/en/os/i386/php-4.0.6-14.i386.rpm fa4b579888995b6573e7a73804158f96 7.1/en/os/i386/php-devel-4.0.6-14.i386.rpm 1263d98ba75ec5ca1e65d48bd368379d 7.1/en/os/i386/php-imap-4.0.6-14.i386.rpm 74efc20c094b707be855dabaf2add1f4 7.1/en/os/i386/php-ldap-4.0.6-14.i386.rpm cbc44ab6b2fc44a02494bf2471919961 7.1/en/os/i386/php-manual-4.0.6-14.i386.rpm 5d495b80a74f66322a47fd944966f279 7.1/en/os/i386/php-mysql-4.0.6-14.i386.rpm b354335acc5b940d2f0e738fc4787be6 7.1/en/os/i386/php-odbc-4.0.6-14.i386.rpm d077d9fa21dadb3c057678230b3074c0 7.1/en/os/i386/php-pgsql-4.0.6-14.i386.rpm 3228e983d9ddc1d489a842530b89d243 7.1/en/os/ia64/php-4.0.6-14.ia64.rpm 4833f11cffa29e2ddb875363e5b3f251 7.1/en/os/ia64/php-devel-4.0.6-14.ia64.rpm 47b48d59b575a9b575d611e0f172b7aa 7.1/en/os/ia64/php-imap-4.0.6-14.ia64.rpm e4332a1b20a06ed9fb8f81fde2cc804b 7.1/en/os/ia64/php-ldap-4.0.6-14.ia64.rpm 6f7f723ee3f53ffca3f3d5ff45019b79 7.1/en/os/ia64/php-manual-4.0.6-14.ia64.rpm 3724f9d8d8f4d220346863a88de13d76 7.1/en/os/ia64/php-mysql-4.0.6-14.ia64.rpm 4b8f83a823e31ed823a3140a760483ff 7.1/en/os/ia64/php-odbc-4.0.6-14.ia64.rpm 3f3331675054fddb9da31bf86b0c5547 7.1/en/os/ia64/php-pgsql-4.0.6-14.ia64.rpm 66ecdcea3196a94160ce6cdbc2ddc4d6 7.2/en/os/SRPMS/php-4.0.6-15.src.rpm 39ba1ae47d084733ed62d13bdc2c94c7 7.2/en/os/i386/php-4.0.6-15.i386.rpm 78b159fdd343e51f94999702535b0ea7 7.2/en/os/i386/php-devel-4.0.6-15.i386.rpm ee99d2eef98e265a3bbf8f8a7560aae2 7.2/en/os/i386/php-imap-4.0.6-15.i386.rpm 71e442a419d01253b28e153bb8c0e14d 7.2/en/os/i386/php-ldap-4.0.6-15.i386.rpm dfe7acedf564e7870ec6ae2a5ba35cea 7.2/en/os/i386/php-manual-4.0.6-15.i386.rpm 79c7dd197bd32308cd6fde471ab6ecf9 7.2/en/os/i386/php-mysql-4.0.6-15.i386.rpm 6f361675b3abdf2a0217e1060102b4d3 7.2/en/os/i386/php-odbc-4.0.6-15.i386.rpm d4fed68c16d30a4bc8a810ffa1e38f47 7.2/en/os/i386/php-pgsql-4.0.6-15.i386.rpm f4576c3f1337e53762cb5faa3f6c1d50 7.2/en/os/ia64/php-4.0.6-15.ia64.rpm 206f11bcc8a84d18b742f3e1200bf284 7.2/en/os/ia64/php-devel-4.0.6-15.ia64.rpm 68320556a17082261578fca3b7b8cb83 7.2/en/os/ia64/php-imap-4.0.6-15.ia64.rpm dfe2bf8b9ed61589e43acf87d4d37c22 7.2/en/os/ia64/php-ldap-4.0.6-15.ia64.rpm bf8af9aa9891e0491bd5e4e3d22ae821 7.2/en/os/ia64/php-manual-4.0.6-15.ia64.rpm 971ba2e0d2fdec91d80bb7337a7f7b9f 7.2/en/os/ia64/php-mysql-4.0.6-15.ia64.rpm d6f5e5077ba72d94a21479923382cfe4 7.2/en/os/ia64/php-odbc-4.0.6-15.ia64.rpm 9141daf011bb0bd53543214cb438bbc8 7.2/en/os/ia64/php-pgsql-4.0.6-15.ia64.rpm These packages are GPG signed by Red Hat, Inc. for security. Our key is available at: http://www.redhat.com/about/contact/pgpkey.html You can verify each package with the following command: rpm --checksig <filename> If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: rpm --checksig --nogpg <filename> 8. References: http://security.e-matters.de/advisories/012002.html http://www.kb.cert.org/vuls/id/297363 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0081 Copyright(c) 2000, 2001, 2002 Red Hat, Inc.