Note: PHP 5.2.7 is the actual version that fixes the below security holes. PHP 5.2.8 fixes an issue introduced in 5.2.7. Details from the PHP news site.
A new version of the popular scripting language, PHP includes a couple of security fixes (taken from the Changelog):
- Upgraded PCRE to version 7.8 (Fixes CVE-2008-2371)
- Fixed missing initialization of BG(page_uid) and BG(page_gid)
- Fixed incorrect php_value order for Apache configuration
- Fixed a crash inside gd with invalid fonts (Fixes CVE-2008-3658).
- Fixed a possible overflow inside memnstr (Fixes CVE-2008-3659).
- Fixed security issues detailed in CVE-2008-2665 and CVE-2008-2666.
- Fixed bug #45151 (Crash with URI/file..php (filename contains 2 dots)).(Fixes CVE-2008-3660)
- Fixed bug #42862 (IMAP toolkit crash: rfc822.c legacy routine buffer overflow). (Fixes CVE-2008-2829)
Additionally, Stefan Esser described a vulnerability that was silently fixed in PHP 5.2.8.
Obviously this update not only includes security updates but also a large number (170) of bug fixes that probably makes it worth the update. Many of these non-security fixes solve stability issues and make this update worth it. However the security issues fixed in this version may in some cases force your organization to upgrade some or all of its PHP installations depending on the case. In this post I will be describing these vulnerabilities in more detail so that one can easily prioritize application of this PHP update.
Upgraded PCRE to version 7.8 which addresses CVE-2008-2371
What is CVE-2008-2371 about? The Changelog from PCRE gives the following description:
11. An option change at the start of a pattern that had top-level alternatives could cause overwriting and/or a crash. This command provoked a crash in some environments: printf "/(?i)[xc3xa9xc3xbd]|[xc3xa9xc3xbdA]/8n" | pcretest This potential security problem was recorded as CVE-2008-2371.
To exploit this vulnerability an attacker needs to be able to pass regular expressions to the pcre_* functions. The most obvious case where this is an issue is when a PHP script allows regular expressions to be defined by the user. For example, plugin for WordPress called Search Regex might expose this vulnerability. If this particular WordPress plugin only available to the administrator who is doing a WordPress migration, then the vulnerability is somewhat contained. There are cases where the website administrator or webmaster is not given system access to the website. In this context, this vulnerability will indeed affect the PHP installation. Another possibility is that an attacker can target the administrator by making use of an additional vulnerability such as Cross Site Request Forgery (XSRF).
Fixed missing initialization of BG(page_uid) and BG(page_gid)
Details of this vulnerability were published by SecurityReason on Bugtraq and various security mailing lists. The advisory describes a vulnerability where the first Apache child process will incorrectly set the uid to 0 which is normally assigned to the root user on UNIX and Linux systems. The correct behavior would be to assign the uid to the correct user, typically the "www" user for Apache. By making use of this vulnerability, an attacker may be able to bypass certain security restrictions that PHP's safe_mode is meant to apply. So who can this attacker be? It will have to be someone who can modify the php flags (modify php.ini or htaccess), which is typically someone with access to modify .htaccess or php.ini. I am waiting for feedback from the security researcher who discovered this vulnerability, so this description is subject to change.
ZipArchive::extractTo() silent fix
As described before, PHP fixed a vulnerability that was reported by Stefan Esser in the zip extraction functions. This is a traditional directory traversal vulnerability that allows attackers to dump their files anywhere that the Apache user can write to. In this case, the attacker will upload a zip file to the PHP script in question which includes compressed files with filenames such as "../../../var/www/backdoor.php". PHP scripts that extract uploaded zip files on the fly would expose this vulnerability. Websites allowing such functionality should be immediately upgraded to the latest version of PHP which fixes this vulnerability.
That's it for now. Part two of this post coming up soon!