Red Hat 9062 Published by

A new update is available for Red Hat Enterprise Linux. Here the announcement:



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ---------------------------------------------------------------------
Red Hat Security Advisory

Synopsis: Important: php security update
Advisory ID: RHSA-2007:0088-01
Advisory URL: https://rhn.redhat.com/errata/RHSA-2007-0088.html
Issue date: 2007-02-22
Updated on: 2007-02-22
Product: Red Hat Application Stack
CVE Names: CVE-2007-0906 CVE-2007-0907 CVE-2007-0908
CVE-2007-0909 CVE-2007-0910 CVE-2007-0988
- ---------------------------------------------------------------------

1. Summary:

Updated PHP packages that fix several security issues are now available for
Red Hat Application Stack v1.1.

This update has been rated as having important security impact by the Red
Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Application Stack v1 for Enterprise Linux AS (v.4) - i386, x86_64
Red Hat Application Stack v1 for Enterprise Linux ES (v.4) - i386, x86_64

3. Problem description:

PHP is an HTML-embedded scripting language commonly used with the Apache
HTTP Web server.

A number of buffer overflow flaws were found in the PHP session extension;
the str_replace() function; and the imap_mail_compose() function. If very
long strings were passed to the str_replace() function, an integer overflow
could occur in memory allocation. If a script used the imap_mail_compose()
function to create a new MIME message based on an input body from an
untrusted source, it could result in a heap overflow. An attacker with
access to a PHP application affected by any these issues could trigger the
flaws and possibly execute arbitrary code as the 'apache' user.
(CVE-2007-0906)

When unserializing untrusted data on 64-bit platforms, the zend_hash_init()
function could be forced into an infinite loop, consuming CPU resources for
a limited time, until the script timeout alarm aborted execution of the
script. (CVE-2007-0988)

If the wddx extension was used to import WDDX data from an untrusted
source, certain WDDX input packets could expose a random portion of heap
memory. (CVE-2007-0908)

If the odbc_result_all() function was used to display data from a database,
and the database table contents were under an attacker's control, a format
string vulnerability was possible which could allow arbitrary code
execution. (CVE-2007-0909)

A one byte memory read always occurs before the beginning of a buffer. This
could be triggered, for example, by any use of the header() function in a
script. However it is unlikely that this would have any effect.
(CVE-2007-0907)

Several flaws in PHP could allow attackers to "clobber" certain
super-global variables via unspecified vectors. (CVE-2007-0910)

Red Hat would like to thank Stefan Esser for his help diagnosing these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.

Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

5. Bug IDs fixed (http://bugzilla.redhat.com/):

229337 - CVE-2007-0906 PHP security issues (CVE-2007-0907, CVE-2007-0908, CVE-2007-0909, CVE-2007-0910, CVE-2007-0988)

6. RPMs required:

Red Hat Application Stack v1 for Enterprise Linux AS (v.4):

SRPMS:
ftp://updates.redhat.com/enterprise/4AS/en/RHWAS/SRPMS/php-5.1.6-3.el4s1.5.src.rpm
65c254f44be0f72149d1a6d2481f83d1 php-5.1.6-3.el4s1.5.src.rpm

i386:
78d8e01b70f58962f336c8bfb5ba4b96 php-5.1.6-3.el4s1.5.i386.rpm
6d2e8fa3d1b7c38b238e1ac3f7476956 php-bcmath-5.1.6-3.el4s1.5.i386.rpm
6b8b46df3e7baa0f8d3f172f17282259 php-cli-5.1.6-3.el4s1.5.i386.rpm
8ced783df3b11e6d0f6dd1f6b6829fdf php-common-5.1.6-3.el4s1.5.i386.rpm
740a6c287dcbac0661a253ed3ff66814 php-dba-5.1.6-3.el4s1.5.i386.rpm
f7e791945b706248c53a01c1b45bfdce php-debuginfo-5.1.6-3.el4s1.5.i386.rpm
f35f870ec7d08950d8e62ce9525c4c70 php-devel-5.1.6-3.el4s1.5.i386.rpm
23e2fd214a78125b380c59dce8b866cc php-gd-5.1.6-3.el4s1.5.i386.rpm
ffca8a8be48b47ac67d3dafe706a17c6 php-imap-5.1.6-3.el4s1.5.i386.rpm
4c1f239d32b5e6ae2e26198116a2df40 php-ldap-5.1.6-3.el4s1.5.i386.rpm
4ab5f2d77d903027e47cde5ce2b00391 php-mbstring-5.1.6-3.el4s1.5.i386.rpm
70f18b061ad856f91d752afc602321fb php-mysql-5.1.6-3.el4s1.5.i386.rpm
dc8653b119d187f4502ea7768d0b4df3 php-ncurses-5.1.6-3.el4s1.5.i386.rpm
eaeeb0c20afcc2f6092f2ee86026b289 php-odbc-5.1.6-3.el4s1.5.i386.rpm
8626f179feb2edf6a65592e8b7ccf4ac php-pdo-5.1.6-3.el4s1.5.i386.rpm
29394ec7b3a94bf7800984b6261645dc php-pgsql-5.1.6-3.el4s1.5.i386.rpm
1458d727cb6e7ca1f8b157e7e9e6647b php-snmp-5.1.6-3.el4s1.5.i386.rpm
2852e877c69badc913b3d45508f6174d php-soap-5.1.6-3.el4s1.5.i386.rpm
83fc3d913035f739d9f467760141131a php-xml-5.1.6-3.el4s1.5.i386.rpm
72e4d8d62154edd162e302e4ef998237 php-xmlrpc-5.1.6-3.el4s1.5.i386.rpm

x86_64:
9febc8aa7713fcc6e6d782e8cfad8b6b php-5.1.6-3.el4s1.5.x86_64.rpm
a50b99d084118534a60713dc7072bfe8 php-bcmath-5.1.6-3.el4s1.5.x86_64.rpm
ec1c3659254920ee751528b70048dc8f php-cli-5.1.6-3.el4s1.5.x86_64.rpm
a5d8daf2c536b025cc7916c93b29dba9 php-common-5.1.6-3.el4s1.5.x86_64.rpm
6759778469af7a9a70258aa3e07e57fc php-dba-5.1.6-3.el4s1.5.x86_64.rpm
fdcc247456d423f893f83277525191d0 php-debuginfo-5.1.6-3.el4s1.5.x86_64.rpm
f2d186ccf814a716661e05f9b9e8b968 php-devel-5.1.6-3.el4s1.5.x86_64.rpm
e9ae0a6fcb0a383c5e0ccce6d5625d10 php-gd-5.1.6-3.el4s1.5.x86_64.rpm
007ccf652a68a291f02ea20a64b17c19 php-imap-5.1.6-3.el4s1.5.x86_64.rpm
e3438ac7fa45ec4d18c5b440e6ab8b51 php-ldap-5.1.6-3.el4s1.5.x86_64.rpm
2ff48b915dd6a96e0218fbd22eb38e18 php-mbstring-5.1.6-3.el4s1.5.x86_64.rpm
a7249f1c5007a3cbaa1db03db1947e08 php-mysql-5.1.6-3.el4s1.5.x86_64.rpm
6bca262f258fa401f85ba494b2c31e6f php-ncurses-5.1.6-3.el4s1.5.x86_64.rpm
f0300356cfa9a0ec53f06b22bf9831bc php-odbc-5.1.6-3.el4s1.5.x86_64.rpm
cc1d0f4eb90a42bf2b97c901dc7e675e php-pdo-5.1.6-3.el4s1.5.x86_64.rpm
281e15be5c482bf80b9b364baa18c464 php-pgsql-5.1.6-3.el4s1.5.x86_64.rpm
5974ebe042e427a9bb63ebc3efd0e503 php-snmp-5.1.6-3.el4s1.5.x86_64.rpm
5504e7372468eb793607c7050109a7c9 php-soap-5.1.6-3.el4s1.5.x86_64.rpm
ec5eeca15244e5e676c2dd438bc4add0 php-xml-5.1.6-3.el4s1.5.x86_64.rpm
55e2405c3136cd7ba733391770d8e4ba php-xmlrpc-5.1.6-3.el4s1.5.x86_64.rpm

Red Hat Application Stack v1 for Enterprise Linux ES (v.4):

SRPMS:
ftp://updates.redhat.com/enterprise/4ES/en/RHWAS/SRPMS/php-5.1.6-3.el4s1.5.src.rpm
65c254f44be0f72149d1a6d2481f83d1 php-5.1.6-3.el4s1.5.src.rpm

i386:
78d8e01b70f58962f336c8bfb5ba4b96 php-5.1.6-3.el4s1.5.i386.rpm
6d2e8fa3d1b7c38b238e1ac3f7476956 php-bcmath-5.1.6-3.el4s1.5.i386.rpm
6b8b46df3e7baa0f8d3f172f17282259 php-cli-5.1.6-3.el4s1.5.i386.rpm
8ced783df3b11e6d0f6dd1f6b6829fdf php-common-5.1.6-3.el4s1.5.i386.rpm
740a6c287dcbac0661a253ed3ff66814 php-dba-5.1.6-3.el4s1.5.i386.rpm
f7e791945b706248c53a01c1b45bfdce php-debuginfo-5.1.6-3.el4s1.5.i386.rpm
f35f870ec7d08950d8e62ce9525c4c70 php-devel-5.1.6-3.el4s1.5.i386.rpm
23e2fd214a78125b380c59dce8b866cc php-gd-5.1.6-3.el4s1.5.i386.rpm
ffca8a8be48b47ac67d3dafe706a17c6 php-imap-5.1.6-3.el4s1.5.i386.rpm
4c1f239d32b5e6ae2e26198116a2df40 php-ldap-5.1.6-3.el4s1.5.i386.rpm
4ab5f2d77d903027e47cde5ce2b00391 php-mbstring-5.1.6-3.el4s1.5.i386.rpm
70f18b061ad856f91d752afc602321fb php-mysql-5.1.6-3.el4s1.5.i386.rpm
dc8653b119d187f4502ea7768d0b4df3 php-ncurses-5.1.6-3.el4s1.5.i386.rpm
eaeeb0c20afcc2f6092f2ee86026b289 php-odbc-5.1.6-3.el4s1.5.i386.rpm
8626f179feb2edf6a65592e8b7ccf4ac php-pdo-5.1.6-3.el4s1.5.i386.rpm
29394ec7b3a94bf7800984b6261645dc php-pgsql-5.1.6-3.el4s1.5.i386.rpm
1458d727cb6e7ca1f8b157e7e9e6647b php-snmp-5.1.6-3.el4s1.5.i386.rpm
2852e877c69badc913b3d45508f6174d php-soap-5.1.6-3.el4s1.5.i386.rpm
83fc3d913035f739d9f467760141131a php-xml-5.1.6-3.el4s1.5.i386.rpm
72e4d8d62154edd162e302e4ef998237 php-xmlrpc-5.1.6-3.el4s1.5.i386.rpm

x86_64:
9febc8aa7713fcc6e6d782e8cfad8b6b php-5.1.6-3.el4s1.5.x86_64.rpm
a50b99d084118534a60713dc7072bfe8 php-bcmath-5.1.6-3.el4s1.5.x86_64.rpm
ec1c3659254920ee751528b70048dc8f php-cli-5.1.6-3.el4s1.5.x86_64.rpm
a5d8daf2c536b025cc7916c93b29dba9 php-common-5.1.6-3.el4s1.5.x86_64.rpm
6759778469af7a9a70258aa3e07e57fc php-dba-5.1.6-3.el4s1.5.x86_64.rpm
fdcc247456d423f893f83277525191d0 php-debuginfo-5.1.6-3.el4s1.5.x86_64.rpm
f2d186ccf814a716661e05f9b9e8b968 php-devel-5.1.6-3.el4s1.5.x86_64.rpm
e9ae0a6fcb0a383c5e0ccce6d5625d10 php-gd-5.1.6-3.el4s1.5.x86_64.rpm
007ccf652a68a291f02ea20a64b17c19 php-imap-5.1.6-3.el4s1.5.x86_64.rpm
e3438ac7fa45ec4d18c5b440e6ab8b51 php-ldap-5.1.6-3.el4s1.5.x86_64.rpm
2ff48b915dd6a96e0218fbd22eb38e18 php-mbstring-5.1.6-3.el4s1.5.x86_64.rpm
a7249f1c5007a3cbaa1db03db1947e08 php-mysql-5.1.6-3.el4s1.5.x86_64.rpm
6bca262f258fa401f85ba494b2c31e6f php-ncurses-5.1.6-3.el4s1.5.x86_64.rpm
f0300356cfa9a0ec53f06b22bf9831bc php-odbc-5.1.6-3.el4s1.5.x86_64.rpm
cc1d0f4eb90a42bf2b97c901dc7e675e php-pdo-5.1.6-3.el4s1.5.x86_64.rpm
281e15be5c482bf80b9b364baa18c464 php-pgsql-5.1.6-3.el4s1.5.x86_64.rpm
5974ebe042e427a9bb63ebc3efd0e503 php-snmp-5.1.6-3.el4s1.5.x86_64.rpm
5504e7372468eb793607c7050109a7c9 php-soap-5.1.6-3.el4s1.5.x86_64.rpm
ec5eeca15244e5e676c2dd438bc4add0 php-xml-5.1.6-3.el4s1.5.x86_64.rpm
55e2405c3136cd7ba733391770d8e4ba php-xmlrpc-5.1.6-3.el4s1.5.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0906
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0907
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0908
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0909
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0910
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0988
http://www.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2007 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFF3Xq8XlSAg2UNWIIRAhyAAJ0VW5uMUdJPbAMlKL/HCeomv/WnIgCfTRgW
31rxkqofwf6aYAXCukY6IiI=
=//rW
-----END PGP SIGNATURE-----